Jump to content

converting db stuff to html safe stuff


Splurd
 Share

Recommended Posts

basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data

Link to comment
Share on other sites

basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data

As a general rule of thumb, you should sanitize your data before you put it in the database. Use Server.HTMLEncode, like this:
'... open database, get dataresponse.write Server.HTMLEncode(RS("some_field"))'...close database

Or use it like this when you're updating your database:

'... open database for updatingRS.Open SQL, Conn, 3, 3    RS("some_field1") = Server.HTMLEncode(some_variable)    RS("some_field2") = Server.HTMLEncode(some_other_variable)    RS("some_field3") = Server.HTMLEncode(another_variable)    RS.UpdateRS.Close'...close database

In my experience, I haven't had any problems HTMLEncoding my data when as soon as I response.write it to the screen, as opposed to encoding it before I put it in my database. Sometimes, encoding data when you update the database produces odd results, for instance if you take this text:

<B>Hello world</B>.

And HTMLEncode it before you update your record, it will be stored in the database like this:

<B>Hello world</B>.

But when you open that field again and make changes to it, theres the possibility that it will get re-encoded, like this:

&lt;B&gt;Hello world&lt;/B&gt;

That is obviously bad, it destroys your HTML. So I recommend encoding the database as soon as you response.write it to the window.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...