Menu
I 'd like to enable the user to apply a custom filter to a System.Data.DataTable. At the moment I have a very simple function like this:
Dim result = dataTable.Select(txtUserInput.Text)
With the filtered results I'd like to do further operations(e.g. Database Update/Delete).
Is an sql injection protection needed or is the "Select" function secure?
Thank you
//Edit: The main question is: Can the "select" function be abused to manipulate any data in the datatable, execute code, ...? If the only danger is that this function can return to much/to less data there is no problem. But if the data in the dataset gets corrupted it's a real problem.
416
You don't need protection in that instance - DataTable.Select is applying a filter to the DataRows held in-memory within that DataTable, it's not actually connecting to/executing anything against the database.
You would need protection if you were taking that user input and building it into a SQL statement you then execute against the db to e.g. initially fill the DataTable. In that case, best thing is to parameterise the statement.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
