tags:

views:

594

answers:

1
+1  Q: 

Injection Attacks against .NET DataView RowFilter

So I'm writing a handler that filters a cached DataTable based on the AppRelativeCurrentExecutionFilePath using the DataView RowFilter property. What's the best way to encode the input to prevent an injection attack?

Is the following sufficient? Is there a better/more-elegant way?

dataView.RowFilter = String.Format("Name LIKE '{0}%'", EncodeString(query));

private string EncodeString(string s)
{
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < s.Length; i++)
    {
        char c = s[i];
        if (c == '*' || c == '%' || c == '[' || c == ']')
            sb.Append("[").Append(c).Append("]");
        else if (c == '\'')
            sb.Append("''");
        else
            sb.Append(c);
    }

    return sb.ToString();
}
A: 

You cannot inject sql in a RowFilter.

Edit: As pointed out, it is possible to get all rows in the table by injection, could something like the following work:

dataTable.AsEnumerable()
    .Where(r => r.Field<string>("StringColumn").Contains(userInput))
    .ToList().ForEach(r => Console.WriteLine(r.Field<string>("StringColumn")));
Yuriy Faktorovich  2009-08-12 14:16:02
RowFilter is a string very similar to a SQL Where clause and it is exploitable via injection if you are constructing the filter string from user input. In my example I am filtering a DataTable based on the the URL (e.g http://site/handler/stringUsedInFilter) and the filter is a LIKE comparison thus anything after "handler/" needs to be sanitized otherwise something like "%25%25%25%25%25" would bypass minimum length and empty string checks to return the entire table contents. "'" would cause the filter to be invalid and throw an exception. etc...
CptSkippy  2009-08-12 14:50:50
Yes in order to not return the full table you would have to guard. Is there ever a case where the entire table is returned or is that something you can guard against?
Yuriy Faktorovich  2009-08-12 15:06:57
@Yuriy : What if the input they're looking to filter on really is %%%%%? That wouldn't do them much good. What if the input is O'Brien? That would cause an SyntaxErrorException to be thrown. The input needs to be filtered.
CptSkippy  2009-08-12 16:06:15
Time to create a parameterized control inheriting from DataView?
Yuriy Faktorovich  2009-08-12 17:22:43

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?