Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Encoding data securely 1

Status
Not open for further replies.
jgd1234567

jgd1234567

Programmer
May 2, 2007
68
0
0
GB
Hi, i'm coming from a php background where everytime i posted a variable back to the server i would wrap in a function before passing into my sql statement. This allowed me do a replacement for html entities and also a mysql fix to avoid sql injections.

With asp.net if i use parameters i avoid any sql injections but i still have problems with html entities.

Say in the edit profile area of my site i have a formview which uses 2 way databinding and contains a textbox for the user's first name. Then say i wrap the value (when posted back) with Server.HtmlEncode before updating the value in the database. If the user entered <a test the next time the user edits their profile it says &lt;a test since the textbox control also does its own encoding. I could decode the value before binding it within my textbox but this is a very hacky solution.

My next idea was not to encode the text at all in the database and instead only encode the text where it is outputted on the site. This seems to work but i'm not sure if this is secure enough since i would have to remember to encode the data everytime i display it.

I'm sure people have had similar problems and i would really really appreciate your solution. Thanks
 
Sort by date Sort by votes
We have database functions that strip any HTML. Also, I have written RegEx functions to strip any HTML before saving to the DB.
 
Upvote 0 Downvote
you can also use [tt]HttpContext.Current.Server.HTMLEncode[/tt] to encode an potential scripting tags before assigning the value to a variable.

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Upvote 0 Downvote
Hi, so are you saying i should definately encode before inserting into the database. If so then how would i accomplish 2 way databinding?
 
Upvote 0 Downvote
Are you saying you want any HTML tags to be encoded/safe when displaying the text in a Label or something, but decoded when you display the text in a TextBox?

Since you want to perform a transformation on the data to display in certain views, the presentation layer might be the most appropriate choice to code your solution.

What I'd do is create a special TextBox:

Code: 
//NOTE: uncompiled, untested code.
public class DecodeTextBox : TextBox
{
   public overrride string Text
   {
      get{ return Server.HtmlDecode( base.Text ); }
      set{ base.Text = Server.HtmlEncode( value ); }
   }
}



MCP, MCTS - .NET Framework 2.0 Web Applications
 
Upvote 0 Downvote
Hi cheers, i just played around with this idea but the Text property of the TextBox control is already encoded and however hard i tried i would not decode. Also i noticed alot of other controls encode data for you such as the drop down list and the grid view. Therefore by storing the data in the database encoded caused problems since i was getting double encoding. It appears the only way is to encode on display unless i override every single control.

Appreciate if someone could tell me if there is a better solution. Thanks
 
Upvote 0 Downvote
Here's an alternate approach that will probably accomplish what you want.

How about a business object that exposes a safe version of the data? Using an ObjectDataSource, you should still be able to use two-way binding after writing the proper data access logic, but you also have the ability to have a Label or other display control bind to a property that has a safe version of the stored data.

Code: 
public class MyObject
{
    private string _text;

    public string Text
    {
         get{ return _text; }
         set{ _text = value;
    }

    public string SafeText
    {
         get{ return HttpContext.Current.Server.HtmlEncode( Text );
    }

    //add other properties for you entity here

    //add data access code here which will let you bind
    //to an ObjectDataSource.
}

Alternately, you can have a SafeLabel instead of the TextBox:

Code: 
public class SafeLabel: Label
{
   public overrride string Text
   {
      get{ return base.Text; }
      set{ base.Text = Server.HtmlEncode( value ); }
   }
}



MCP, MCTS - .NET Framework 2.0 Web Applications
 
Upvote 0 Downvote
Hi cheers boulderbum, since i already am using a business logic layer i think i will go for your first option.

Thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AhmedAzizBarbary
  • Locked
  • Question
How to read data response body after success login razor page ?
Replies
0
Views
293
AhmedAzizBarbary
AhmedAzizBarbary
G12Consult
  • Locked
  • Question
Retrieve data from JSON
Replies
1
Views
244
gmmastros
gmmastros
thep1
  • Locked
  • Question
dynamic pivot data to display in gridview
Replies
3
Views
270
jbenson001
jbenson001
baran121
  • Locked
  • Question
Sending data with bluetooth on webproject
Replies
1
Views
100
jbenson001
jbenson001
Dashley
  • Locked
  • Question
Client Script Changing/encoding Values 1
Replies
2
Views
83
Dashley
Dashley

Part and Inventory Search

Sponsor

Back
Top