Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server.HTMLEncode use/overuse

Status
Not open for further replies.
rahlquist

rahlquist

Programmer
Mar 18, 2003
4
0
0
US
Hello,

Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.
Code: 
   Set conn = Server.CreateObject("ADODB.Connection")
   conn.CursorLocation = adUseServer
   conn.open cStr_TMD
   Set cmd = Server.CreateObject("ADODB.Command")
   cmd.ActiveConnection = conn
   cmd.CommandText = "dbo.app_employeeselect"
   cmd.CommandType = adCmdStoredProc
   cmd.Parameters.Refresh
   cmd.Parameters(1).Value=Request.QueryString("searchtype")
   cmd.Parameters(2).Value=Request.QueryString("criteria")
   Set rs = cmd.Execute

Should the parameters be changed to this to further sanitize the params;
Code: 
   cmd.Parameters(1).Value=Server.HTMLEncode(Request.QueryString("searchtype"))
   cmd.Parameters(2).Value=Server.HTMLEncode(Request.QueryString("criteria"))
 
Sort by date Sort by votes
You are already using a command object with parameters. This will protect you from SQL Injection attacks. If you use HTMLEncode on your parameters, you will get unintended consequences. For example, if the user entered a criteria of "Red Shirt", the HTMLEncode function would return "Red%20Shirt" which you then pass to the database (presumably to search for results). with the %20 in the data, you are not likely to find the correct results.

-George
Microsoft SQL Server MVP
My Blogs
SQLCop
twitter
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Whiskypoo
  • Locked
  • Question
Select option compare user input
Replies
3
Views
53
ChrisHirst
ChrisHirst
stergiosnik
  • Locked
  • Question
ASP MS Access Operation must use an updateable query
Replies
5
Views
36
guitarzan
guitarzan
greathope123
  • Locked
  • Question
How to use Session.Abandon? 1
Replies
5
Views
19
madiaz91911
madiaz91911
mbrayc
  • Locked
  • Question
Stuck on 1st page of Legacy ASP site on new server (User ID now blank)
Replies
6
Views
76
mbrayc
mbrayc
AndrewWiggins99
  • Locked
  • Question
Determine Active Directories username
Replies
2
Views
39
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top