I need to write a filter expression. Approved is a boolean field I need to be able to select all records or, all records where approved is true or false, or all records where approved is null.
My expression is as follows:
"FullName LIKE '%{0}%' AND DateSubmitted >= '{1}' AND DateSubmitted <= '{2}' AND (('{3}' = '*' OR Approved = '{3}') OR (Approved IS NULL AND '{3}' IS NULL))"
If you see anything wrong with this statement let me know. As of right now it filters on everything except approved being null. this is the last part of the expression.
-
-
"FullName LIKE '%{0}%' AND DateSubmitted >= '{1}' AND DateSubmitted <= '{2}' AND (('{3}' = '*' OR Approved = '{3}') OR (Approved IS NULL AND '{3}' IS NULL))"
The part '{3}' IS NULL is always false.
Also you should be using parameterised querys:
"FullName LIKE @Param1 AND DateSubmitted >= @DateTimeParam1 AND DateSubmitted <= @DateTimeParam2 AND ((@Param2 = '*' OR Approved = @Param2) OR (Approved IS NULL AND @Param2 IS NULL))"
If Approved is null and @Param2 is null the right hand side of the OR would evalute properly. -
JoeCool
Thats me
Yeah, SQL injection aint soo cool.
-
stevo_
Human after all
Holy sql injection batman!
-
It's a filterexpression on a sqldatasource is this still vulnerable?
-
blowdart
Peek-a-boo
scott976 wrote:It's a filterexpression on a sqldatasource is this still vulnerable?
No.
-
Please post technical questions in TechOff.
Buzza answered your question.
If you're using SQL, use BETWEEN for your DateSubmitted clause:
DateSubmitted BETWEEN @startDate AND @endDate
Edit: I missed the part about this being a filter expression. I don't think those support BETWEEN. Sorry.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.