tags:

views:

21

answers:

2
Q: 

Filtering dataset with condition

Hi,

I am using asp.net 2.0 and c#.

I have a dataset, which is getting the employee info. Now I want to filter the gridview based on the name user has put in the search textbox. I am doing this :

        DataSet ds = new DataSet("EmployeeInformation");
        ........ loading DataSet ds with emploee info
        string strExpr;
        strExpr = "Name LIKE %" + txtSearchEmployee.Text.Trim() + "%";
        ds.Tables[0].Select(strExpr);

I am getting error in the last step that the operator is missing.

Please guide me how can I achive this. Thanks in advance.

A: 

In SQL, LIKE requires quotation marks around its argument. So, "LIKE \"%foo\%"".

What you are doing is also a BAD IDEA. If a user sends you a search string with special characters in it, you will be vulnerable to a SQL injection attack.

Sanitize your input.

Borealid  2010-07-05 09:18:02
AFAIK there's no risk of SQL Injection attacks when all you're doing is selecting from a pre-loaded DataSet.
GenericTypeTea  2010-07-05 09:20:27
Am I doing it incorrectly ? Please suggest me
Rahul  2010-07-05 09:24:02
Really? The user can select arbitrary information from your dataset, even if they can't DROP TABLES. At the very least, they can produce invalid SQL.
Borealid  2010-07-05 09:27:17
Reference for general principles of SQL injection in ASP: http://msdn.microsoft.com/en-us/library/ff648339.aspx
Borealid  2010-07-05 09:28:34
Borealid. I think you're misunderstanding what the Select method does in a DataTable. See http://msdn.microsoft.com/en-us/library/det4aw50.aspx. All the `Select` function does is to filter a DataTable that has already been loaded with data. There's no connection between the DataTable and the SQL database.
GenericTypeTea  2010-07-05 09:50:23
I have checked the same and I am agree with generic TypeTea. As it's under disconnected architecture. Please share your feedback if you think I am incorrect.
Rahul  2010-07-05 12:35:20
+1  A: 

You just need to add single quotes around your LIKE criteria:

strExpr = "Name LIKE '%" + txtSearchEmployee.Text.Trim() + "%'";
ds.Tables[0].Select(strExpr);
GenericTypeTea  2010-07-05 09:22:26

related questions

.NET Table Adapters: Get vs. Fill?
How can I read multiple tables into a dataset?
.Net: Convert Generic List of Objects to DataSet
Synchronize DataSet
How to wire a middle tier of Objects to a data tier consisting of a DataSet?
How do I refresh the relationships in a dataset?
What triggers ConstraintException when loading DataSet?
Why is a SQL float different from a C# float
Point ADO.Net DataSet to different databases at runtime?
Should I return a strongly typed dataset from a webservice?
How many DataTable objects should I use in my C# app?
How to convert Typed DataSet Scheme when one of the types was changed?
DataSet.Select and DateTime
Select rows in dataset table based on other dataset table
Object initialization in C# (.Net)
What are the disadvantages of Typed DataSets
Read Access File into a DataSet
DBUnit dataset generation
Handling XSD Dataset ConstraintExceptions
VB.NET Get underlying system.type from nullable type
Get the DefaultView DataRowView from a DataRow
PHP Script to populate MySQL tables
C#: What Else Do You Use Besides DataSet
Is there some way of recycling a Crystal Reports dataset?
Datatable vs Dataset