Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server.HTMLEncode use/overuse

Status
Not open for further replies.

rahlquist

Programmer
Mar 18, 2003
4
US
Hello,

Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.
Code:
   Set conn = Server.CreateObject("ADODB.Connection")
   conn.CursorLocation = adUseServer
   conn.open cStr_TMD
   Set cmd = Server.CreateObject("ADODB.Command")
   cmd.ActiveConnection = conn
   cmd.CommandText = "dbo.app_employeeselect"
   cmd.CommandType = adCmdStoredProc
   cmd.Parameters.Refresh
   cmd.Parameters(1).Value=Request.QueryString("searchtype")
   cmd.Parameters(2).Value=Request.QueryString("criteria")
   Set rs = cmd.Execute

Should the parameters be changed to this to further sanitize the params;
Code:
   cmd.Parameters(1).Value=Server.HTMLEncode(Request.QueryString("searchtype"))
   cmd.Parameters(2).Value=Server.HTMLEncode(Request.QueryString("criteria"))
 
You are already using a command object with parameters. This will protect you from SQL Injection attacks. If you use HTMLEncode on your parameters, you will get unintended consequences. For example, if the user entered a criteria of "Red Shirt", the HTMLEncode function would return "Red%20Shirt" which you then pass to the database (presumably to search for results). with the %20 in the data, you are not likely to find the correct results.

-George
Microsoft SQL Server MVP
My Blogs
SQLCop
twitter
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top