Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Preventing Injection attacks
Message
De
10/09/2008 04:59:51
Christian Ehlscheid
Edv Ermtraud Gmbh
Rengsdorf, Allemagne
 
 
À
09/09/2008 11:31:31
Naomi Nosonovsky
Wisconsin, États-Unis
Information générale
Forum:
Microsoft SQL Server
Catégorie:
Autre
Titre:
Re: Preventing Injection attacks
Versions des environnements
SQL Server:
SQL Server 2005
Divers
Thread ID:
01341172
Message ID:
01346266
Vues:
16
This message has been marked as a message which has helped to the initial question of the thread.
Hello Naomi,

you don't have to clean the database, to ensure that no malicious <script> tags can be embedded into your pages
you have to encode the data before output.

so instead of
Response.Write(databasereader.GetString(1));
you write
Response.Write(HttpUtility.HtmlEncode(databasereader.GetString(1)));

this way the content of the database does not matter, everthing is html encoded and will just be displayed as plain text.

p.s.: the UT is also not protected
<script>alert('Hello World');</script>
<script>script>alert('Hello World');

Regards
Christian
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform