Can we add parameter in datatable.select in c#

Question

I like to know is it possible to add parameter in datatable.select(expression).For example

string query="Name=@Name";          
//dt is comming from database.
dt.Select(query);

How to add this parameter @Name. I need to compare a value which contains single quote and it gets failed in the above case.

Thanks in advance

Answer 1

You can use String.Format, you need to escape single quotes with two:

string query = string.Format("Name='{0}'", name.Replace(@"'", "''"));
var rows = dt.Select(query);

or, if you want to use Like:

string query = string.Format("Name LIKE '%{0}%'", name.Replace(@"'", "''"));

(note that a DataTable is not vulnerable to sql-injection since it's an in-memory object)