Thomas Sampson


1 Comment

Getting HTML into a database

Today I found a great function in ASP.net to convert user inputted string into a format suitable to be held in a database.

The first thing you must do is turn off ValidationRequests. Validation requests are a system .NET has in place to immediately stop the user inputting html into any form . But sometimes you need to allow this. Changing the ValidateRequest attribute of the text entry and submission button didnt work for me , im not sure why, but if the following is included in the webconfig then the user is allowed to submit html through a form (this will compromise security and should be odne with caution).

<system.web>
<pages validaterequest”false”>

</pages>

At this stage your webapp can now handle html being submitted, but before it can be inserted into a database it must be converted into escape characters.

Here is an example of how to do so, where userinput is plain html entered by the user

string encodedinput=HttpUtility.HtmlEncode(userinput);

this html data can now be inserted into any database using an SQL command. There is no harm using this method on all form submisions, even if they are not likely to contain html. The reason for this is the encode function will also encode illegal charcaters such as double quotes (\”) & % and @ symbols which will be rejected by the database.

When retrieving this encoded html from the database it can easily be dedoded back into regulr html using

string decodedhtml=HttpUtility.HtmlDecode(htmlfromdatabase);

If used carefully, along with SQL injection prevention techniques, this makes for a safe way to store scripts and html in a database.


Leave a comment

Avioding SQL injection

After much playing around and problems I finally figured how to add safe parameters into an odbc command. Here is a sample….

OdbcCommand postcomment = new OdbcCommand(“insert into comments values (‘”+newguid+”‘,'”+itemid+”‘,?)”, temp);

Here the ? represents the first and only parameter to be passed into the command using..

postcomment.Parameters.AddWithValue(“@comment”, comment);

then

postcomment.ExecuteNonQuery();

If you were to include > 1 ? symbols, the parameters must be added in the order they appear in your original command.