Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

server.htmlencode sql injection

Status
Not open for further replies.
Cullen411

Cullen411

Programmer
Aug 17, 2005
89
GB
should I use both server.htmlencode and an SQL injection protection function for every text field and textarea that a visitor can enter info into?
An example would be a user registration form
 
Sort by date Sort by votes
I'm not sure it would be necessary to use HTMLEncode, it would depend on what you plan to do with the text I'd guess.
Definately do SQL injection protection on all your form fields before using them in a SQL statement. Any form value could be spoofed. So make sure you validate lengths and such as well, besides escaping special characters.

barcode_1.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
Problem: sql-Select with request.form
2
Replies
22
Views
319
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
SQL syntax
Replies
8
Views
110
penguinspeaks
penguinspeaks
axLW
  • Locked
  • Question
reduce number of sql statements and set EOF parameter
Replies
13
Views
165
ChrisHirst
ChrisHirst
EricBCA
  • Locked
  • Question
Is it possible for ASP to connect to SQL Server via ODBC without a password
Replies
1
Views
73
ChrisHirst
ChrisHirst
rahlquist
  • Locked
  • Question
Server.HTMLEncode use/overuse
Replies
1
Views
41
gmmastros
gmmastros

Part and Inventory Search

Sponsor

Back
Top