Splurd Posted May 18, 2006 Share Posted May 18, 2006 basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data Link to comment Share on other sites More sharing options...
Yahweh Posted May 18, 2006 Share Posted May 18, 2006 basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data<{POST_SNAPBACK}> As a general rule of thumb, you should sanitize your data before you put it in the database. Use Server.HTMLEncode, like this:'... open database, get dataresponse.write Server.HTMLEncode(RS("some_field"))'...close database Or use it like this when you're updating your database: '... open database for updatingRS.Open SQL, Conn, 3, 3 RS("some_field1") = Server.HTMLEncode(some_variable) RS("some_field2") = Server.HTMLEncode(some_other_variable) RS("some_field3") = Server.HTMLEncode(another_variable) RS.UpdateRS.Close'...close database In my experience, I haven't had any problems HTMLEncoding my data when as soon as I response.write it to the screen, as opposed to encoding it before I put it in my database. Sometimes, encoding data when you update the database produces odd results, for instance if you take this text: <B>Hello world</B>. And HTMLEncode it before you update your record, it will be stored in the database like this: <B>Hello world</B>. But when you open that field again and make changes to it, theres the possibility that it will get re-encoded, like this: <B>Hello world</B> That is obviously bad, it destroys your HTML. So I recommend encoding the database as soon as you response.write it to the window. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now