2

i have an tiny editor web page where my users can use this editor and i am saving the html into my database.

i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.

Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.

Improve this question
2
  • 2
    The ability to embed Javascript is a rather large concern. Commented May 26, 2010 at 15:40
  • I just realized that tiny editor seems to do this for you so thats why i was confused why everything was working without me doing anything Commented May 26, 2010 at 16:40

4 Answers 4

Reset to default
6

I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.

string sqlIns = "INSERT INTO table (name, information, other) VALUES (@name, @information, @other)";

SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("@name", info);
cmdIns.Parameters.Add("@information", info1);
cmdIns.Parameters.Add("@other", info2);
cmdIns.ExecuteNonQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

do you insert using SqlParameter? If yes, you should not have problems, check that.

Improve this answer

1 Comment

In principle yes, but in-case any any other parts of the SQL either execs or make assumptions about contents of the database, you should always encode user input.
0

You could just HtmlEncode the data. You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:

Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));

and to retrieve it:

myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());
Improve this answer

2 Comments

this seems to go against this best practice off doing encoding in the view - stackoverflow.com/questions/2914062/…
I just realized that tiny editor seems to do this for you so thats why i was confused why everything was working without me doing anything
0

Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.

Improve this answer

1 Comment

... and I agree with OMG Ponies, et al., that you really need to make sure that you have a need to accept HTML into your db.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.