Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Preventing Injection attacks
Message
De
10/09/2008 09:13:05
Naomi Nosonovsky
Wisconsin, États-Unis
 
 
À
10/09/2008 04:59:51
Christian Ehlscheid
Edv Ermtraud Gmbh
Rengsdorf, Allemagne
Information générale
Forum:
Microsoft SQL Server
Catégorie:
Autre
Titre:
Re: Preventing Injection attacks
Versions des environnements
SQL Server:
SQL Server 2005
Divers
Thread ID:
01341172
Message ID:
01346301
Vues:
11
>Hello Naomi,
>
>you don't have to clean the database, to ensure that no malicious <script> tags can be embedded into your pages
>you have to encode the data before output.
>
>so instead of
>Response.Write(databasereader.GetString(1));
>you write
>Response.Write(HttpUtility.HtmlEncode(databasereader.GetString(1)));
>
>this way the content of the database does not matter, everthing is html encoded and will just be displayed as plain text.
>
>p.s.: the UT is also not protected
removed.
>
>Regards
>Christian

We're not using Response.Write too much, we're using ASP.NET controls such as GridView, FormView, etc.

BTW, I was quite surprised to get "Hello, World" :)
If it's not broken, fix it until it is.


My Blog
Précédent
Répondre
Fil
Voir

Click here to load this message in the networking platform