Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Preventing Injection attacks
Message
From
10/09/2008 09:13:05
Naomi Nosonovsky
Wisconsin, United States
 
 
To
10/09/2008 04:59:51
Christian Ehlscheid
Edv Ermtraud Gmbh
Rengsdorf, Germany
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: Preventing Injection attacks
Environment versions
SQL Server:
SQL Server 2005
Miscellaneous
Thread ID:
01341172
Message ID:
01346301
Views:
10
>Hello Naomi,
>
>you don't have to clean the database, to ensure that no malicious <script> tags can be embedded into your pages
>you have to encode the data before output.
>
>so instead of
>Response.Write(databasereader.GetString(1));
>you write
>Response.Write(HttpUtility.HtmlEncode(databasereader.GetString(1)));
>
>this way the content of the database does not matter, everthing is html encoded and will just be displayed as plain text.
>
>p.s.: the UT is also not protected
removed.
>
>Regards
>Christian

We're not using Response.Write too much, we're using ASP.NET controls such as GridView, FormView, etc.

BTW, I was quite surprised to get "Hello, World" :)
If it's not broken, fix it until it is.


My Blog
Previous
Reply
Map
View

Click here to load this message in the networking platform