• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

Trying to convert SQLParameter into string for FilterExpression

Hi, I wanted to prevent sql injection when using a filterexpression. I tried this method and for some reason I cannot get the parameter to show up in the filter expression properly.
protected void Apply_Filter()
    {
        TextBox ProjSearchTxtSRCH = (TextBox)form1.FindControl("ProjSearchTxt");
        TextBox AgmntSearchtxtSRCH = (TextBox)form1.FindControl("AgmntSearchtxt");
        TextBox TNumberSearchtxtSRCH = (TextBox)form1.FindControl("TNumberSearchtxt");
        TextBox GISREFSearchtxtSRCH = (TextBox)form1.FindControl("GISREFSearchtxt");
        SqlConnection conn = new SqlConnection(GetConnectionString());
        
        
        if (AgmntSearchtxtSRCH.Text.Length > 0)
        {
            conn.Open();
            SqlCommand MainSearch = new SqlCommand("Ag_Number = @AgreementNumberSrch",conn);
            SqlParameter AgrmntNumber = new SqlParameter();
            AgrmntNumber.ParameterName = "@AgreementNumberSrch";
            AgrmntNumber.Value = AgmntSearchtxtSRCH.Text;
            MainSearch.Parameters.Add(AgrmntNumber);
            ViewState["ShowAll"] = false;
            
            try
          {

              Object val = MainSearch.CommandText;
              string s = val.ToString();
              QCGridview1.FilterExpression = s;
              Label LableTest = (Label)form1.FindControl("Example");
              LableTest.Text = s;
              ViewState["filter"] = s;
 
          }
            catch (SqlException ex)
            {
                Label ErrorLabel = (Label)form1.FindControl("ErrorMsg");
                ErrorLabel.Text = ex.Message;
            }
            finally
            {
                conn.Close();
            }
        }

Open in new window

0
GravitaZ24
Asked:
GravitaZ24
  • 2
1 Solution
 
alb66Commented:
I think you can do the following:

string s = string.Format( "Ag_Number = {0}", AgmntSearchtxtSRCH.Text );
QCGridview1.FilterExpression = s;

If you want to prevent SQL injection use a regular expression to validate the user input.
0
 
alb66Commented:
see "How To: Use Regular Expressions to Constrain Input in ASP.NET" at
http://msdn.microsoft.com/en-us/library/ms998267.aspx
0
 
GravitaZ24Author Commented:
Thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now