?
Solved

HTML - ASP Server Encode (

Posted on 2011-10-17
9
Medium Priority
?
347 Views
Last Modified: 2012-05-12
Hello,

I have a form that inserts data into a database. I've just found that the data being inserted is resuling in the following -

(

The part of my insert statement that grabs the variable looks like -

Dim CMDProductInsert__name
CMDProductInsert__name = ""
if(UploadFormRequest("name") <> "") then CMDProductInsert__name = Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

Where  ProtectSQL is -

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function
0
Comment
Question by:garethtnash
  • 4
  • 3
  • 2
9 Comments
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 36981594
What are you inserting?
And what is the question?
0
 

Author Comment

by:garethtnash
ID: 36981618
the data inseted was (1)

I got back -

&amp;#40;1&amp;#41;

which when rendered displayes like &#40;1&#41;

How do I correct this, whilst still encoding my html and also protecting my sql?

thank you
0
 
LVL 18

Expert Comment

by:nap0leon
ID: 36981671
If the value is "Robert (Bob)" then

ProtectSQL returns "Robert &#40;Bob&#41;"
HTMLEncode(ProtectSQL) encodes the & as &amp;
Thusly, you get "Robert &amp;amp40;Bob&amp;amp41;"

If you do not desire such a result, you can remove the conversion of the () to after you have HTMLEncoded it.

e.g.,
value = FixParens(Server.HTMLEncode(ProtectSQL(UploadFormRequest("name")))

where ProtectSQL is
Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

and FixParens is
Function FixParens(SQLString)
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
FixParens = SQLString
End Function
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Wayne Barron
ID: 36981712
Or
you can do as I do, and reverse everything.

Function ProtectSQL(SQLString)
SQLString = Replace(SQLString, "'", "''")
SQLString = Replace(SQLString, vblf,"<br />")
SQLString = Replace(SQLString, "(","&#40;")
SQLString = Replace(SQLString, ")","&#41;")
SQLString = Trim(SQLString)
ProtectSQL = SQLString
End Function

Function ReverseSQL(SQLRev)
SQLRev = Replace(SQLRev, "''", "'")
SQLRev = Replace(SQLRev,"<br />", vblf)
SQLRev = Replace(SQLRev,"&#40;", "(")
SQLRev = Replace(SQLRev,"&#41;", ")")
SQLRev = Trim(SQLRev)
ReverseSQL = SQLRev
End Function

Open in new window


You protect your inserted code with ProtectSQL()
And then to display it back to the page as ReverseSQL()

This keeps the code in place and protected.
0
 

Author Comment

by:garethtnash
ID: 36981766
Hi Guys,

Sorry, being dumb here -

Nap0leon, does your solution still protext the SQL statement from injection?

CarrzKiss I don't have &#40; I have &amp;#40;

Sorry if I'm being dumb
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 36981874
I am trying to reproduce it and I cannot.
You are writing (1) or (40) and you are getting that value.

Remove the HTMLEncode and see if that will correct it and let me know.
0
 
LVL 31

Accepted Solution

by:
Wayne Barron earned 1000 total points
ID: 36981890
Thats it.
Server.HTMLEncode

Try this

Server.HTMLEncode(ReverseSQL())

This should resolve it
0
 
LVL 18

Assisted Solution

by:nap0leon
nap0leon earned 1000 total points
ID: 36981961
In my solution, I merely moved the () changes to outside of the HTMLEncode so that the &s in your &#40;  replacement you were running do not get encoded to &amp;.

The code would still be protected as well as your initial method.

Personally, I prefer carrzkiss' method... anything I manually change, I manually change back.

But, that presumes the data is only being consumed by your webpages... if a reporting tool or similar is accessing the data in the DB directly, then you will need it to be sanitized before it is inserted (which leads us back to the 3 step approach).
0
 

Author Closing Comment

by:garethtnash
ID: 36992353
thank you
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
In this Micro Tutorial viewers will learn how to create navigation buttons that change on rollover, using CSS (Continuation of the CSS Image Sprite tutorial) Create a parent ID for all the list items       - Specify position: absolute and display: block…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question