Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What is the best practice? I am making a ASP.NET site where the user can input text data to be stored at a SQL database. I am using HttpUtility.HTNLEncode() to store the data and HTMLDecode to display it.
This works well, but it does searching (selecting or free text) a lot more difficult. The user should be able to enter text containing <, “, ‘ and any other problematic character.
What is the best practice? To store the data un-encoded? How can I mitigate the risks of injection then?
Always store user input in the database unencoded, and always encode user input from database before outputting it.
You also should filter/validate user input before persisting.
This is the only sane way to use and reuse user data.
See also http://msdn.microsoft.com/en-us/library/t4ahd590%28v=vs.80%29.aspx#cpconbestsecuritypracticesforwebapplicationsanchor4
as well as Should HTML be encoded before being persisted?