3

I have a problem about inserting HTML data into SQL Server. here are the details:

this is my stored procedure;

@articleID int,
@articleBody nvarchar(max)
AS

UPDATE v2_Articles SET articleBody = @articleBody WHERE articleID = @articleID

and this is my asp code for inserting data;

x_articleBody = Replace(Replace(Request.Form("x_articleBody"), CHR(34), """"), "'", """")

Connection.Open(ConnStr)
Connection.Execute("EXEC InsertBody @articleID = " & aID & ", _
@articleBody = '" & x_articleBody & "'")            
Connection.Close()

and this is my data for insert;

<font> TEXT TEXT &nbsp;&nbsp; TEXT TEXT</font>

So, problem is: when I try this, data saving until 

&nbsp;

it means after the process sql table is changing like;

<font> TEXT TEXT

Is there any idea about that?

ps. I'm using nicedit text editor for generating html data.

Improve this question
2
  • This is all kinds of bad. Why save HTML in a database? Are you validating your arguments? How do you keep from saving malicious HTML? You should use an sproc and not dynamic SQL. Etc. etc. Commented Apr 13, 2011 at 11:10
  • because no one can insert any malicious HTML, this is local application and none of pages accessible except admin=)) Commented Apr 13, 2011 at 11:53

1 Answer 1

Reset to default
2

First of all, do not use embedded SQL - you are causing yourself extra headaches by doing that, because you have to go through this data cleansing mess and you're exposing your application to potential SQL Injection.

Create a stored procedure that takes text as a parameter, and use that to save your HTML markup.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thank you Kon, could you please advise about taking text as a parameter=)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.