*Words of Wisdom From The Elder

It was December 2001 when my wife bought me a Tivo for Christmas (see tivo review). At the time I loved it. It was the best thing since electricity. I decided to not purchase the lifeline subscription because I knew something better was going to come out with more hard drive space, ethernet etc. As it turns out I was right. Back then I think it was soemthing like $9.95 per month. Not too bad really. I remember walking around the office after returning from Christmas break selling Tivo to everyone. One of my co-workers at the time, Mike Kimsal listened to how things worked and in true Mike fashion researched it to death and when he decided he wanted one, like a true geek he wanted it RIGHT THEN! It's funny because he called me on Super Bowl Sunday during the game wondering where he could get a Tivo in Ann Arbor. Luckily I had Tivo so I could pause the game otherwise he would have been in big trouble. I kept the Tivo around and kept selling them to anyone that asked and that would listen. By now they were becoming main stream. Sorta like Google where you hear people say "google for it" you started hearing people say I "Tivoed" so and so show last night. Probably a year or so after we owned the Tivo they released a newer version which could get its listings via wireless download. We upgraded ours and continued to use Tivo. By this time the price had gone up to $12.95 a month though. Where am I going with this posting you ask? Well, earlier this week Tivo announced new pricing plans. They've gotten rid of the lifeline subscription and instead charge you $19.95 a month or $224 prepaid if you want to buy a year in advance. Thanks but no thanks Tivo! I haven't posted about it to the blog but I took my Shuttle PC I purchased back in 2003 and converted it to run Windows Media Center several months ago, Novemeber 2005 to be exact. The only thing I had to do to convert it to media center was purchase a Haupaugge MCE 500 tuner. It has two tuners on it which allow you to record two shows at once or watch one and record one. As a side note about MCE you could even add two MCE 500 cards and record 4 shows at once, how cool is that? So for about a $100.00 I took an existing PC and converted it to Media Center and don't have to pay Tivo a DIME every month. You can do your own research about media center but its a very cool platform and there are tons of hacks and even a complete API to develop custom plugins for it. After several months MCE is still running and recording shows all for the low low price of $0.00 per month. Besides the fact you have a computer and can do WAY more with it than the Tivo I call it a win. Wake up Tivo, you are approaching having to be put into the budget with your pricing and there are cheaper ways to get the same thing.

I've been working on a new feature for a Smart Client at work and it was time to push it to beta and have QA go over it.  I was speaking to the QA team member and they were certain they could break the new feature with just a single quote.  The reason this QA team member said this is they test a lot of PHP web apps which are notoriuos for this type of mistake because of magic quotes turned on or off or whatever.  As I explained to them, the Smart Client shouldn't encounter this when saving or deleting data as ADO.Net does a pretty good job of handling this type of thing.

Later in the evening I got an email from the QA team member with a screen shot where they had created an entry with a single quote in it. O'Connel for example.  At first I thought it was a joke and then I confirmed it by doing it myself.  What happened I wondered?  I've never seen this before.  So, I dug into the code. 

In this particular application the screen it occured on was a screen where I had applied a DataView filter to narrow the results of a DataSet.  Here is a simple app I built called "Help Desk" to show you what I am talking about.  Below the menu in the sample you'll notice I added a TextBox and a Filter button to the ToolStrip.  As you type information into the TextBox it filters the dataset by the First Name column.  Here is how that's done.

private void toolStripTextBox1_TextChanged(object sender, EventArgs e)
{
   DataView dv = adventureWorksDataSet.Contact.DefaultView;
   dv.RowFilter = "FirstName LIKE '%"+ toolStripTextBox1.Text + "%'";
   this.contactBindingSource.DataSource = dv;
}

The problem the QA team member found was not in the datalayer.  It is pretty simple to see that if you have a single quote in the toolStripTextBox1 object it is going to break the syntax of the RowFilter.  So that's the problem, now let's fix it.  I solved it quickly by doing this:

private void toolStripTextBox1_TextChanged(object sender, EventArgs e)
{
   DataView dv = adventureWorksDataSet.Contact.DefaultView;
   dv.RowFilter = "FirstName LIKE '%"+ toolStripTextBox1.Text.Replace("'", "''") + "%'";
   this.contactBindingSource.DataSource = dv;
}

This got me to thinking though, what other situations would this come up.  There may be others where you need to be careful to watch out for this but the only other similar situation was whereby you would do a select on a DataTable to return an array of rows.  For example:

AdventureWorksDataSet

.ContactRow[] rows = adventureWorksDataSet.Contact.Select("FirstName='" + toolStripTextBox1.Text.Replace("'", "''") + "'");

I then started testing all types of other characters in this situation and the single quote is the only thing I came up with that would break it.  I guess in the end we were both right.  I was right in the fact that the datalayer wouldn't be broken but the QA team memeber did in fact find break it with a single quote.  Note to self.  Self, if you are doing a RowFilter or DataSet Selects with a filter and are getting the input from the user, replace the single quotes.

I've attached the sample Help Desk solution to this post for those that want to download and play with it.  All you need is the AdventureWorks database and change the connection string to your own connection string.