converting db stuff to html safe stuff

[Splurd]

basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data

[Yahweh]

basicly doing a simple page to get stuff from a database, select update add that sorta stuff.But one problem I want to avoid is if there are stuff like < > tags in the db, when I extract the values, will it error my html in my page. Like what if someone did a <script> 1337 h@x </script> on me.So the obvious way would be to replace the < tags, with > < (I think that was it, got to checK)But I am not sure the best way to do it, and where to do it? (like, should I do it before the db is updated, or do it when I am response.writing my data

<{POST_SNAPBACK}>

As a general rule of thumb, you should sanitize your data before you put it in the database. Use Server.HTMLEncode, like this:

'... open database, get dataresponse.write Server.HTMLEncode(RS("some_field"))'...close database

Or use it like this when you're updating your database:

'... open database for updatingRS.Open SQL, Conn, 3, 3    RS("some_field1") = Server.HTMLEncode(some_variable)    RS("some_field2") = Server.HTMLEncode(some_other_variable)    RS("some_field3") = Server.HTMLEncode(another_variable)    RS.UpdateRS.Close'...close database

In my experience, I haven't had any problems HTMLEncoding my data when as soon as I response.write it to the screen, as opposed to encoding it before I put it in my database. Sometimes, encoding data when you update the database produces odd results, for instance if you take this text:

<B>Hello world</B>.

And HTMLEncode it before you update your record, it will be stored in the database like this:

<B>Hello world</B>.

But when you open that field again and make changes to it, theres the possibility that it will get re-encoded, like this:

<B>Hello world</B>

That is obviously bad, it destroys your HTML. So I recommend encoding the database as soon as you response.write it to the window.