| Author |
Topic |
|
bubberz
Constraint Violating Yak Guru
289 Posts |
 Posted - 2006-02-23 : 13:51:12
|
| When I type in the string:Testing the & character..the backend stores it as:Testing the & characterI do have Server.htmlEncode on the insert statement in order to add security.Why is this happening? |
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 14:02:03
|
| Can you please ask a specific question and provide some information? Re-read your post again, and tell me if you think it provides any information at all to help us help you. |
 |
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 14:09:16
|
| When the user types into a text field the string value:"This is the & sign test"....when we go into the backend after the insert has committed the db shows:"This is the & sign test"Why does this happen?I thought using Server.Htmlencode for the variable to insert into the column would take care of things like this. |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 14:43:03
|
| Can you show us the code where you use the Server.Htmlencode function, and also show the code where you declare, add parameters to, and execute the sqlcommand ? |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-02-23 : 14:54:57
|
| Its the other way round, isn't it?User types in "&"You store "&" in the database.When you display that back to the user encoding changes it to "&" - so you will display back to the user:"Testing the & character"Kristen |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 15:02:42
|
| That's what I would think also .... hopefully we will get some actual specifics.Storing a "&":1. User Types "&"2. Form is submitted. The browser handles the *URL* encoding (different from HTML encoding)3. Form is received.4. Value is stored in the database.Retreving a "&":1. Value of "&" is retrieved from the database into a string.2. String gets HTML encoded.3. String it output as HTML on a web page. |
|
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 15:13:28
|
| If I look in the actual db table, the string says "This is an & test" |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2006-02-23 : 15:19:07
|
quote:
Originally posted by bubberz
If I look in the actual db table, the string says "This is an & test"
Well that's what they typed in, right? What do you expect the table to show?Tara Kizeraka tduggan |
|
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 15:31:36
|
| No,If they type in:"This is an & test"...the backend after a refresh says:"This is an & test" |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 15:32:32
|
| Is it me or has this been a frustrating day trying to help people? I give up. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2006-02-23 : 15:42:01
|
quote:
Originally posted by bubberz
No,If they type in:"This is an & test"...the backend after a refresh says:"This is an & test"
Why is that a problem?!!! That's what they typed in!Tara Kizeraka tduggan |
|
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 15:47:51
|
| Too funny....the HTML is off for this forum.That's why it looks like I typed the same thing. |
|
|
|
Arnold Fribble
Yak-finder General
1961 Posts |
Posted - 2006-02-23 : 17:53:50
|
| Trying to enter character entities into this forum software is a pain, it always does it wrong.I suggest what he's saying is that the user is typing a single ampersand and it's getting stored in the database as the 5 character sequence & a m p ; |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 18:55:57
|
| If that's the case, then what is the question? If he uses HTMLEncode on the value, it changes the "&" to "& a m p ;". Therefore, that's what gets stored in the database.It's like applying the UCASE function on a string, storing the result in a table, and then wondering why it is being stored in all uppercase. |
|
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 21:29:55
|
| Thanks Arnold Fribble for the clarification! My entries to other forums didn't do this to my ampersand entry....so that's why I didn't understand people weren't getting what I was trying to say.The whole point I used the Server.Htmlencode was some security testing before we implemented the SPROCS in the up and coming weeks. Of course if I knew it was as simple as UCASE() I wouldn't have posted the question. I found by several other posts from today that this will interpret several characters like ">", etc...............which I obviously didn't know about till the customers were asking why weird characters were showing up. After reading some security articles from DevX, I wanted to try this Server.HtmlEncode()...and now I know what can happen.Thanks for the help, and hope this may help others. |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-23 : 21:34:19
|
| Have you learned yet when you shoud use Server.HtmlEncode() to use it properly? I know that you read that it is "good for security", but do you know why? |
|
|
|
bubberz
Constraint Violating Yak Guru
289 Posts |
Posted - 2006-02-23 : 21:42:48
|
| The whole / main point of the article was about possible JavaScript running from an entry into a string field.Since the code we were given is all SQL concatenation, SPROCS are the real way to go...and that's what we'll do....soon.There are some fields where I can still use Server.Htmlencode(), but not all of them....like filters and such.Any pointers or tips are always welcome! |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-02-24 : 00:53:49
|
FWIW we store the user's data as-typed. We encode data that we display - so if they type<SCRIPT>... something damaging ...</SCRIPT> then we will just display that back, encoded, so they see the angle brackets and all!If you try to strip those characters out then you may end up breaking someone's delivery address ... and the shipment not get there. Same if you store "& AMP;" in the DB instead of "&" - if the data is printed on paper, not via a browser, then its going to print just like that and confuse the Postie!.Kristen |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2006-02-24 : 13:56:05
|
| Yup, Kristen, that pretty much is it. That is when you should use HTMLEncode -- when pulling data OUT of the database and returning it as HTML on a page. It also helps not only with security, but also with formatting and keeping your webpage looking correct. If I enter "<H1>JEFF</H1>" as my name on a forum, it would look pretty silly if the forum always showed my name in large, bold print!bubberz -- I hope this sheds light on when to use this function properly, and I hope you do use it if that is a situation that applies to you. |
|
|
|
|
& character on insert