Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Server.HTMLEncode use/overuse

Server.HTMLEncode use/overuse

Server.HTMLEncode use/overuse


Would there be any use/benefit to using Server.HTMLEncode with parametized SQL? For example.

CODE -->

Set conn = Server.CreateObject("ADODB.Connection") conn.CursorLocation = adUseServer conn.open cStr_TMD Set cmd = Server.CreateObject("ADODB.Command") cmd.ActiveConnection = conn cmd.CommandText = "dbo.app_employeeselect" cmd.CommandType = adCmdStoredProc cmd.Parameters.Refresh cmd.Parameters(1).Value=Request.QueryString("searchtype") cmd.Parameters(2).Value=Request.QueryString("criteria") Set rs = cmd.Execute

Should the parameters be changed to this to further sanitize the params;

CODE -->

cmd.Parameters(1).Value=Server.HTMLEncode(Request.QueryString("searchtype")) cmd.Parameters(2).Value=Server.HTMLEncode(Request.QueryString("criteria"))

RE: Server.HTMLEncode use/overuse

You are already using a command object with parameters. This will protect you from SQL Injection attacks. If you use HTMLEncode on your parameters, you will get unintended consequences. For example, if the user entered a criteria of "Red Shirt", the HTMLEncode function would return "Red%20Shirt" which you then pass to the database (presumably to search for results). with the %20 in the data, you are not likely to find the correct results.

Microsoft SQL Server MVP
My Blogs
"The great things about standards is that there are so many to choose from." - Fortune Cookie Wisdom

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close