CODEWITHSUNDEEP
c#asp.netobjectdatasource
user5547019
user5547019

Reputation:

Sql Injection with Filter.Expression?

I'm filtering some data in my GridView like this :

protected void Button1_Click(object sender, EventArgs e)
{

    if (DropDownList1.SelectedValue.ToString() == "Name")
    {

        ObjectDataSource1.FilterExpression = "Name LIKE '%" + TextBox1.Text + "%' ";

    }

    else if (DropDownList1.SelectedValue.ToString() == "Title")
    {

        ObjectDataSource1.FilterExpression = "Title LIKE '%" + TextBox1.Text + "%' ";

    }

The Data is originally pulled from a DataTable in the code behind. Now I've read a lot about Sql Injection but I'm just wondering whether this is an issue with ObjectDataSource.FilterExpression? As far as I know it shouldn't be but just looking for a second opinion to confirm?

Upvotes: 3

Views: 1394

Answers (2)

Adam Davis
Adam Davis

Reputation: 380

Like rsc mentioned in their reply, there is certainly still a risk of SQL injection when using FilterExpressions.

Including an example below of how to use parameterized queries with FilterExpressions;

SqlDataSource3.FilterExpression = "[Country] = '{0}' and [City] = '{1}'";
SqlDataSource3.FilterParameters.Clear();
SqlDataSource3.FilterParameters.Add(new Parameter("ddlCountry", DbType.String));
SqlDataSource3.FilterParameters["ddlCountry"].ConvertEmptyStringToNull = true;
SqlDataSource3.FilterParameters["ddlCountry"].DefaultValue = country;

SqlDataSource3.FilterParameters.Add(new Parameter("ddlCity", DbType.String));
SqlDataSource3.FilterParameters["ddlCity"].ConvertEmptyStringToNull = true;
SqlDataSource3.FilterParameters["ddlCity"].DefaultValue = city;

Upvotes: 0

rsc
rsc

Reputation: 10679

You are definitively subject to FilterExpression injection since you are not sanitizing the user input. Now, what are the consequences/impacts of the injection will depend on your system and what type of value are stored.

For more information about FilterExpression injection, read this whitepaper:

https://www.mbsd.jp/Whitepaper/FilterExpression.pdf

Upvotes: -1

Related Questions