Security :: Storing And Displaying User Input (encoding Query)?
Aug 30, 2010
how to handle html and scriptswhat . if I build my own CMS? Isn't it inevitable that I'll want to store html code, possibly scripts, and almost certainly apostrophes and special characters, and then display them again.
What's the best way to do this, since I wont want to display the encoded html, but the html itself.
Would it be to encode everything then when I want to actually display the html, decode it, but everywhere else, keep it encoded?
I'm just trying to think of all the scenario's that I could come across when I accept user input where I don't know what they could be typing in. What if I WANT the user to be able to display html? Is it possible to decode only some tags but leave all other tags encoded?
I would like a situation where there are three textbox available and this would give the user an opportunity to input a value in the textboxes. The value in the textboxes would then be stored in a database table(the table is already created in sql). Furthermore, the value would be able to be reterieved later on when the user presses another button. A sample code will help.
I have two text boxes for the user to enter UserName & First Name, both these fields are optional and not mandatory to fill.
once the user presses the Search button, i execute the following query to fetch matching records.
[Code]....
The problem is, in cases where User leaves both the textbox or one of the textbox empty/blank, in that case that particular field should be removed from where clause.
More like if something is entered then search for that particular record otherwise search for all the records.
When I first implemented forms authentication I consulted an article that told me to store the user's custom IPrincipal object in the cache. Is this wrong? Should I have stored it in the session?
I would like to make sure that everything that goes into my database is safe, i.e. protection from sql injection.
What I want to do is type something in a textbox, "<b>hello</b>" for example, it be encoded before it's put in the database, but when I retrieve it, I want it to display "hello" in bold.
I've tried the obvious of server.encode on input and server.decode on the output (to a label and a literal control), but couldn't get it to display the text in bold without having unencoded text in the database.
Yet for some reason an ASP TextBox with the TextMode="MultiLine" allows inputs of characters outside of UTF-8. When I paste the following line of text into an ASP TextBox that is not MultiLine
the non UTF-8 characters are replaced, but not when I use a MultiLine TextBox.
EDIT: To explain a little more the set up I am seeing this problem in, here are 4 text areas that can be put on an ASP page.
I have a quick Linq to SQL question. I am trying to write a Linq query that has multiple where clauses depening on user input. What I would intuitively code is:
Dim arrTerms As Array = txtUserInput.Text.Split(" ") Dim q = From newsitem In db.MyNewsTable _ Where newsitem.Contains(arrTerms) _ Select newsitem Listview1.DataSource = q Listview1.Databind()
Unfortunately, though, the "Contains" operattor does not accept an arraylist, or array, or anything but String.
i have my own DLL (for the data access layer),,i use escaping characters technique to avoid the user input errors ,, but recently i decided to enhance my classes and using parametrized query to prevent all possible errors,Is the modification will be easy or difficult ??how to convert this way to use the parametrized query ..
I am starting work on an already fully developed site. This site has no input encoding or output encoding. If some one ebters <input type="text"> in an insert form it is displayed as a real tex box when viewing that form details.
So how can i apply encoding at input or output to the WHOLE SITE?
turning on validate request is not an option as the cms wud need it off.
also this is .net 3.5 so no question od using <%: tags.
I am generating report through report viewer.. I want show my record which date i select but it cant select data from date which are giving it taking system date to display data...
Example: I select 2013-11-15 it does not showing any data but when i change my system date to 15 it is showing data...
I have a CMS page that allows the user to paste in or type HTML code into a TextBox in a FormView, then do an INSERT or UPDATE operation to an nvarchar(MAX) column in an SQL table. This is using an ObjectDataSource that refers to an insert or update method in a TableAdapter in my dataset.
When testing, the server initially warned me when I tried to input or update text containing HTML code; so I set the validateRequest="false" in my page header.
I gather this can be a serious security risk. What's the proper way to "validate" the string being input? Am I opening the database to SQL injection?
Only the site administrator has access to the CMS, but malicious could theoretically bust their way in...
this is basically to show a welcome message [welcome user]on the index page after login in as a registered user of my site. i can achieve this with session but i really want to see this work. i read it in a book. it is not working as i want instead it is displaying my pc's name, instead of showing welcome for the current loggrd in user. put into consideraton that i programmatically created my login controls, my database on sqlserver myself, without asp.net custom login controls.
//this is the label that shows the welcome text {welcomeLbl.Text = "you are welcome, "; //user.identity.name+"."; this is suppose to display the name of the current logged in user welcomeLbl.Text += User.Identity.Name + ".";}
I'm a complete novice to ASP.Net embarking on a charity work for a primary school in Africa to create a simple website. The website should have a webpage that users can upload pictures that is stored and displayed as thumbnails. Which can be click on to show the picture in its actual size.
I've used masterpages to create a consistent look across all pages. On the gallery page, I have a textbox and a button which are yet to be programmed.
a user loged in and he wants to delete his user. how do i make a delete query that refers to his userID how do i get the user id of the current logedin user?
I was wondering if anyone had a tutorial or overview of the best way to store html in a MS SQL database, and then calling it back up and displaying it and should I save the decoded html in ntext?
Since I'm new to coding and I'm trying to understand why here is a little more detail on the question.If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further? What I have is a text box that has a max length of 2. Is there a security reason to add a validator to the textbox. I should add this is in Asp.net.
I would like to program an Input Box that comes up when a user clicks 'Find' button. It asks 'Please enter an employee number'. Then it takes the employee number typed into a text box and searches a dataset for that specific employee record.
I know that it should be server side because the client may not have the proper javascript installed or diabled. Therefore, can someone give me some code to put in code behind that can pop up an input box and use the input after, if this can be done?
Is it possible to display a list of descriptive phrases (say pulled from a lookup table in a database) but store a code in another table? I'm a beginner at ASP.NET but have some experience with SQL Server. If so, how can I do it?
Receive "Login failed" for user ASPNET error message SQL Server 2005 is db and IIS is web server (both on same computer) Mixed authentication used on SQL Server I have created user ASPLogin with password that is correctly typed int the web.config: add name="masterConnectionString" connectionString="Data Source=computernameGMOSERVER;Initial Catalog=Portal;Persist Security Info=True;User ID=ASPLogin;Password=password" providerName="System.Data.SqlClient" />
I am able to access my webpages that query the database as long as they are not parameterized.However, the parameterized queries (e.g., SELECT * FROM SUPP_DASH_RESULTS WHERE organization_code = @orgcode) are the ones that do not work, and give me the "Login failed" error message
