To avoid SQL injections you have to write stored procedure or the parametrized query. If you have a sqldatasource, want to pass the paramterized query to that datasource and finnally display with Gridview...Just customize your code like follow:
string sql = "SELECT Guid as Guid,[ID], [Family Name] AS Family_Name, [Given Name] AS Given_Name, [Region], [MacroRegion], [Country], [Years], [Date] FROM [Author] where [Given Name] LIKE '%' + @Given_Name + '%'";
SqlDataSource1.SelectCommand = sql;
SqlDataSource1.SelectParameters.Clear();
SqlDataSource1.SelectParameters.Add("Given_Name", TypeCode.String, searchTextBox.Text.Trim());
GridView1.DataSource = SqlDataSource1;
GridView1.DataSourceID = string.Empty;
GridView1.DataBind();
More:http://forums.asp.net/t/1309562.aspx
Saturday, November 15, 2008
Subscribe to:
Posts (Atom)
