Thomas Sampson

Getting HTML into a database

1 Comment

Today I found a great function in ASP.net to convert user inputted string into a format suitable to be held in a database.

The first thing you must do is turn off ValidationRequests. Validation requests are a system .NET has in place to immediately stop the user inputting html into any form . But sometimes you need to allow this. Changing the ValidateRequest attribute of the text entry and submission button didnt work for me , im not sure why, but if the following is included in the webconfig then the user is allowed to submit html through a form (this will compromise security and should be odne with caution).

<system.web>
<pages validaterequest”false”>

</pages>

At this stage your webapp can now handle html being submitted, but before it can be inserted into a database it must be converted into escape characters.

Here is an example of how to do so, where userinput is plain html entered by the user

string encodedinput=HttpUtility.HtmlEncode(userinput);

this html data can now be inserted into any database using an SQL command. There is no harm using this method on all form submisions, even if they are not likely to contain html. The reason for this is the encode function will also encode illegal charcaters such as double quotes (\”) & % and @ symbols which will be rejected by the database.

When retrieving this encoded html from the database it can easily be dedoded back into regulr html using

string decodedhtml=HttpUtility.HtmlDecode(htmlfromdatabase);

If used carefully, along with SQL injection prevention techniques, this makes for a safe way to store scripts and html in a database.

Advertisements

Author: tomtech999

I have recently graduated with a 1st class degree in MComp Games Software Development at Sheffield Hallam University, focusing primarily on application development in C++, with experience in graphics programming, scripting languages, DVCS/VCS and web technology. In my spare time I enjoy Drumming, Reading and Snowboarding!

One thought on “Getting HTML into a database

  1. Wow Cool !
    Super Man
    Nice Site

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s