Illegal and exception characters in a C# DataColumn Expression

Question

I have a rather simple situation that I just dont have the familiarity with C# to address.

I have a DataTable object returned from a webservice. I want the user to be able to filter and analyze the data so I create a DataView object. I have a ListBox that is the

One of the basic functions is I want them to be able to do searches of the data. So I get clever and add a textbox and an event for the textbox.

private void textbox1_TextChanged(object sender, EventArgs e)
{

        ((DataView)listbox1.DataSource).RowFilter = "mycolumn LIKE '*"+textbox1.Text+"*'";
}

Problem is, if the user enters any special characters on accident (say [ or ] or *) it could screw up the match expression. Its like a classic SQL injection safety problem. The problem is the SQL blacklist characters are well documented (and often libraries will even contain methods that make strings sql safe because it's such a common problem) but this "RowFilter" expression isn't SQL and doesn't have well documented blacklist or escape characters.

Does anyone have an idea for how to elegantly solve this problem?

Answer 1

All available keywords / functions are quite well documented: http://msdn.microsoft.com/en-us/library/system.data.datacolumn.expression(v=vs.71).aspx

You dont have the security issues you have with SQL injection --> you just work on your datatable so nobody can get unauthorized access to the DB. The most important thing you have to do is to escape the single quotes and eventually additional wildcards.