Solved

asp insert html sql server

Posted on 2012-03-15
13
395 Views
Last Modified: 2012-03-31
what is the best way to insert/retrieve html from asp to SQL server ?
0
Comment
Question by:goodluck11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 37727995
It depends.  This search http://www.google.com/search?q=asp+to+SQL+serve will bring up a lot of possibilities including this http://support.microsoft.com/kb/169377 from Microsoft.

Your question is very general.  You would get better answers if you give us some more detail about your code and resources.  Which SQL Server?  Which version of IIS?  And what are you actually wanting to do in the way of an application?
0
 

Author Comment

by:goodluck11
ID: 37733788
sql server 2008
IIS 7
We have a textbox on asp, we want the user to enter html code, save it on the server, and can be displayed on another asp page.
0
 

Author Comment

by:goodluck11
ID: 37733792
those are general access to sql server.

we are looking to insert html specifically with asp
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 37733825
HTML is nothing but text until a web browser has to interpret it as a page.  So you can enter the HTML in a text box, save it to the SQL Server, and retrieve it on another page and display it.  Nothing magic about it being HTML.  You will need to follow standard practice for escaping characters and all that to prevent SQL injection that might damage the contents of your SQL server.
0
 

Author Comment

by:goodluck11
ID: 37736293
don't we need to escape special chars or encode/decode when inserting/retrieving ?

Some thing like this saved on the server ?

<div class="Social-Links"> <a href="http://www.facebook.com

and then decode it when displaying to browser ?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 37736471
You can do that but preventing SQL injection is more important.  This page from Microsoft http://msdn.microsoft.com/en-us/library/ms161953.aspx addresses that issue.  You should always check for the ';' character and single quotes.  

I also truncate input to the proper size to prevent overflow problems.  You might be surprised how often people try to post complete and large web pages full of links to a textbox.  I also keep track of any detected errors in the data and abort if there are any.

Remember that most spam and hacking attempts skip your forms and go directly to your 'action' page.  While javascript validation can help the user enter the data correctly, it does nothing to prevent a direct attack or submission.
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 37738606
regarding sql injection, I would recommend using the COMMAND object when saving to the database, that way you dont have to worry about checking for different attack styles, the database side of things would handle that. you would just specify the input type (text, number, whatever) and the command would treat whatevers entered as the parameter.

if this is going to be a public page, I would do a check for <script> tags, as this could allow users to embed dangerous HTML

more on the command object:
http://www.w3schools.com/ado/ado_ref_command.asp
0
 

Author Comment

by:goodluck11
ID: 37769669
Thanks, can someone show a sample code how to do this ?

do we need to escape the html code before saving it ?
0
 

Accepted Solution

by:
goodluck11 earned 0 total points
ID: 37769690
we are doing something like this on c# and rad this is safe (from injections)


    SqlCommand cmd = conn.CreateCommand();

                cmd.CommandText = "insert into htmltemplates (htmltemplate) values (@Text)";
                cmd.Parameters.AddWithValue("@Text", TextBox5.Text);
                cmd.ExecuteNonQuery();
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 37772266
the link i provided has sample code for using the command object. are you looking for classic asp examples or asp.net examples?
0
 

Author Comment

by:goodluck11
ID: 37787352
thanks for your reply, we are looking for classic asp and haven't found it
0
 

Author Closing Comment

by:goodluck11
ID: 37790545
solution
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 37791704
Was the link I provided not exactly what you need? If not please explain what about it didn't meet your requirements.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Viewers will learn how the fundamental information of how to create a table.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question