SPGridView，确保数据的数据和正确方法是安全的 [英] SPGridView, data and correct method of ensuring data is safe

问题描述

我正在使用SPGridView来呈现一些数据，并且启用了非常好的过滤功能。直到您选择要过滤的数据中的特定项目...

有问题的数据项在字符串中有一个撇号（例如这是理查兹字符串 ），这导致后过滤器应用程序页面加载死机，错误：

 语法错误：在'运营商。 
  

显然数据不会自动安全...

数据位于一个数据表中，SPGridView使用一个objectdatasource使用datatable进行输入。

最佳或正确的方法是确保数据是否安全使用？

编辑：

经过多次淘汰，我发现了部分答案，但是问题仍然存在。

部分答案是 - 您可以使数据对于过滤器代码是安全的，但是在过滤器下拉菜单gui中无法使其看起来正确。 / p>

添加BoundField.HtmlEncode = true;对于SPGridView定义什么都不做。

在字符串上使用HttpUtility.HtmlEncode不做任何事情。

手动替换所有数据中带有&＃39的撇号;插入到DataTable中可以让过滤器工作正常，并且数据在SPGridView中显示正常，但是在过滤器下拉列表中显示html替换字符串，而不是撇号字符。这是部分解决方案，并不真正可用，因为它创建了可怕的最终用户可见的过滤器字符串。

我仍然要找到一个完整的解决方案对于这个问题，除了完全从数据中删除有害的字符，这不是一个真正的解决方案。

Regards
Richard

解决方案

撇号是过滤器中的一个特殊字符。尝试用'（双撇号）替换（一个撇号）的所有实例。 / p>

编辑09/01/2009

好的，所以我花了很多比我想象的要长得多，实际上得到这个工作。您应该只需将其添加到您的Web部件代码中：

  protected override void OnPreRender（EventArgs e）
 { 
 if（！string.IsNullOrEmpty（gridDS.FilterExpression））
 {
 _gridDS.FilterExpression = string.Format（
 _grid.FilteredDataSourcePropertyFormat，
 _grid.FilterFieldValue.Replace （'，），
 _grid.FilterFieldName 
）; 
} 
 
 base.OnPreRender（e）; 
} 
  

以上，grid是您的SPGridView，gridDS是ObjectDataSource类型，我相信您将能够使用SPGridView进行过滤的唯一类型。基本上，我认为会发生什么是Microsoft代码中有一个错误，它并没有真正让你有机会验证过滤器值，而是在FilterExpression中被阻塞。使用反射器，我能够弄清楚，SPGridView真的只是设置数据源的FilterExpression。它使用反射和您为grid.FilteredDataSourcePropertyName属性输入的值（我在所有示例中总是看到它被设置为FilterExpression）。

参考：
http： //www.reversealchemy.net/2009/05/24/building-a-spgridview-control-part-2-filtering/

I am using an SPGridView to present some data, and have enabled the filtering ability which works very well. Until you choose a particular item in the data to filter on...

The data item in question has an apostrophe in the string( e.g. "this is richards' string"), which causes the post-filter-application page load to die with the error:

Syntax error: Missing operand after 's' operator. 

Obviously the data is not automatically made safe...

The data is in a datatable, and the SPGridView is fed using an objectdatasource using the datatable.

Whats the best, or correct, method to ensure the data is safe to use?

EDIT:

After much gnashing, I have found a partial answer but the question still remains.

The partial answer is - you can make the data safe for the filter code, but you then cannot make it look correct in the filter dropdown gui.

Adding BoundField.HtmlEncode = true; to the SPGridView definition does nothing.

Using HttpUtility.HtmlEncode on the string does nothing.

Manually replacing all apostrophes in the data with ampersand #39; on insertion into the DataTable allows the filter to work fine, and the data displays fine in the SPGridView, but it displays with the html replacement string in the filter dropdown, and not the apostrophe character. This is the partial solution, and isn't really usable as it creates a horrible filter string which is visible to the end user.

I am still to find a complete solution to this problem, save for removing offending characters from the data altogether, which isn't really a solution.

Regards Richard

解决方案

The apostrophe is a special character in the filters. Try replacing all instances of the "'" (one apostrophe) with "''" (double apostrophe).

Edit 09/01/2009

Ok, so it took me a lot longer than I thought to actually get this working. You should just need to add this to your web part code:

protected override void OnPreRender(EventArgs e)
{
    if (!string.IsNullOrEmpty(gridDS.FilterExpression))
    {
        _gridDS.FilterExpression = string.Format(
            _grid.FilteredDataSourcePropertyFormat,
            _grid.FilterFieldValue.Replace("'", "''"),
            _grid.FilterFieldName
            );
    }

    base.OnPreRender(e);
}

Above, grid is your SPGridView and gridDS is of type ObjectDataSource which I believe is the only type that you will be able to get filtering to work with an SPGridView. Basically, I think what happens is that there is a bug in the Microsoft code and it doesn't really give you a chance to validate the filter value before it gets stuck in the FilterExpression. Using Reflector, I was able to figure out that the SPGridView really just sets the FilterExpression of your datasource. It does this using reflection and the value that you entered for your grid.FilteredDataSourcePropertyName property (I always see it being set to "FilterExpression" in all the examples).

Reference: http://www.reversealchemy.net/2009/05/24/building-a-spgridview-control-part-2-filtering/

这篇关于SPGridView，确保数据的数据和正确方法是安全的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！