I have been coding in php for a while now and Im starting to get into asp.net. I use htmlarea in php as my html editor, but I was told that it shouldnt be used when using asp.net and sql server, because of it opens the server up for attack scripts. I dont understand why.
Can someone help me out? I would really like to use a html editor with my applications but if it opens the server up for attacks then there is no point on using it.
Thanks,
ChadHello,
You can use it, but make sure you use Server.HtmlEncode() to encode the HTML text, before submitting to the database. The reason is because users can embed javascript or vbscript which can attack the database, or other users who load that HTML later. The script is "active" and will run in the browser, and do whatever malicious thing it may do. Server.HtmlEncode() encodes it, and Server.HtmlDecode() decodes it when you need it later.
Being a PHP developer, from this understanding, I'm curious is this possible to embed script in PHP for attack scripts? I am curious...
HTH.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment