Re: Displaying User-Supplied String
- From: Jesse Houwing <jesse.houwing@xxxxxxxxxxxxxxxx>
- Date: Wed, 3 Oct 2007 23:17:05 +0000 (UTC)
Hello Mark Rae [MVP],
"Jonathan Wood" <jwood@xxxxxxxxxxxxxxxx> wrote in message
news:OqKJvmgBIHA.5868@xxxxxxxxxxxxxxxxxxxxxxx
Okay, I have a site that displays information based on user input, aAre you talking about SQL Injection i.e. the strings supplied by the
couple of the items are plain strings that the user entered.
I understand the risk here is that they could insert javascript or
whatever in their string and, when my page displays it, that script
could be executed.
What is the best approach for preventing that?
users are used to look up records in a database?
If so, you need to use parameterised queries or stored procedures.
Google "SQL injection"
There's more than SQL injection at work here. apart from SQL injection there is the risk of cross site scripting as the original poster correctly identified. Best way to prevent that is to call Server.HTMLEncode on each field before displaying it. I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well (reporting, windows client etc).
So encode before displaying.
--
Jesse Houwing
jesse.houwing at sogeti.nl
.
- Follow-Ups:
- Re: Displaying User-Supplied String
- From: Jonathan Wood
- Re: Displaying User-Supplied String
- References:
- Re: Displaying User-Supplied String
- From: Mark Rae [MVP]
- Re: Displaying User-Supplied String
- Prev by Date: Re: Regular Expression Validator
- Next by Date: Re: Microsoft to release source code for the .NET Framework 3.5
- Previous by thread: Re: Displaying User-Supplied String
- Next by thread: Re: Displaying User-Supplied String
- Index(es):
Relevant Pages
|
