Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 400
  • Last Modified:

asp insert html sql server

what is the best way to insert/retrieve html from asp to SQL server ?
0
goodluck11
Asked:
goodluck11
  • 7
  • 3
  • 3
1 Solution
 
Dave BaldwinFixer of ProblemsCommented:
It depends.  This search http://www.google.com/search?q=asp+to+SQL+serve will bring up a lot of possibilities including this http://support.microsoft.com/kb/169377 from Microsoft.

Your question is very general.  You would get better answers if you give us some more detail about your code and resources.  Which SQL Server?  Which version of IIS?  And what are you actually wanting to do in the way of an application?
0
 
goodluck11Author Commented:
sql server 2008
IIS 7
We have a textbox on asp, we want the user to enter html code, save it on the server, and can be displayed on another asp page.
0
 
goodluck11Author Commented:
those are general access to sql server.

we are looking to insert html specifically with asp
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Dave BaldwinFixer of ProblemsCommented:
HTML is nothing but text until a web browser has to interpret it as a page.  So you can enter the HTML in a text box, save it to the SQL Server, and retrieve it on another page and display it.  Nothing magic about it being HTML.  You will need to follow standard practice for escaping characters and all that to prevent SQL injection that might damage the contents of your SQL server.
0
 
goodluck11Author Commented:
don't we need to escape special chars or encode/decode when inserting/retrieving ?

Some thing like this saved on the server ?

<div class="Social-Links"> <a href="http://www.facebook.com

and then decode it when displaying to browser ?
0
 
Dave BaldwinFixer of ProblemsCommented:
You can do that but preventing SQL injection is more important.  This page from Microsoft http://msdn.microsoft.com/en-us/library/ms161953.aspx addresses that issue.  You should always check for the ';' character and single quotes.  

I also truncate input to the proper size to prevent overflow problems.  You might be surprised how often people try to post complete and large web pages full of links to a textbox.  I also keep track of any detected errors in the data and abort if there are any.

Remember that most spam and hacking attempts skip your forms and go directly to your 'action' page.  While javascript validation can help the user enter the data correctly, it does nothing to prevent a direct attack or submission.
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
regarding sql injection, I would recommend using the COMMAND object when saving to the database, that way you dont have to worry about checking for different attack styles, the database side of things would handle that. you would just specify the input type (text, number, whatever) and the command would treat whatevers entered as the parameter.

if this is going to be a public page, I would do a check for <script> tags, as this could allow users to embed dangerous HTML

more on the command object:
http://www.w3schools.com/ado/ado_ref_command.asp
0
 
goodluck11Author Commented:
Thanks, can someone show a sample code how to do this ?

do we need to escape the html code before saving it ?
0
 
goodluck11Author Commented:
we are doing something like this on c# and rad this is safe (from injections)


    SqlCommand cmd = conn.CreateCommand();

                cmd.CommandText = "insert into htmltemplates (htmltemplate) values (@Text)";
                cmd.Parameters.AddWithValue("@Text", TextBox5.Text);
                cmd.ExecuteNonQuery();
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
the link i provided has sample code for using the command object. are you looking for classic asp examples or asp.net examples?
0
 
goodluck11Author Commented:
thanks for your reply, we are looking for classic asp and haven't found it
0
 
goodluck11Author Commented:
solution
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
Was the link I provided not exactly what you need? If not please explain what about it didn't meet your requirements.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now