Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...Your site is a great idea. I should have joined your site years ago. Better late than never..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > Programmers > Web Development > Microsoft: ASP (Active Server Pages) Forum

Server.HTMLEncode use/overuse

thread333-1684182
Read More Threads Like This One
rahlquist (Programmer)
25 May 12 9:05
Hello,

Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.

CODE -->

Set conn = Server.CreateObject("ADODB.Connection") conn.CursorLocation = adUseServer conn.open cStr_TMD Set cmd = Server.CreateObject("ADODB.Command") cmd.ActiveConnection = conn cmd.CommandText = "dbo.app_employeeselect" cmd.CommandType = adCmdStoredProc cmd.Parameters.Refresh cmd.Parameters(1).Value=Request.QueryString("searchtype") cmd.Parameters(2).Value=Request.QueryString("criteria") Set rs = cmd.Execute

Should the parameters be changed to this to further sanitize the params;

CODE -->

cmd.Parameters(1).Value=Server.HTMLEncode(Request.QueryString("searchtype")) cmd.Parameters(2).Value=Server.HTMLEncode(Request.QueryString("criteria"))
gmmastros (Programmer)
25 May 12 9:20
You are already using a command object with parameters. This will protect you from SQL Injection attacks. If you use HTMLEncode on your parameters, you will get unintended consequences. For example, if the user entered a criteria of "Red Shirt", the HTMLEncode function would return "Red%20Shirt" which you then pass to the database (presumably to search for results). with the %20 in the data, you are not likely to find the correct results.

-George
Microsoft SQL Server MVP
My Blogs
SQLCop
twitter
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom

Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Microsoft: ASP (Active Server Pages)

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close