tags:

views:

74

answers:

4
+1  Q: 

how to save html to a database field

i have an tiny editor web page where my users can use this editor and i am saving the html into my database.

i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.

Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.

+2  A: 

do you insert using SqlParameter? If yes, you should not have problems, check that.

Andrey  2010-05-26 15:40:13
In principle yes, but in-case any any other parts of the SQL either execs or make assumptions about contents of the database, you should always encode user input.
Russ C  2010-05-26 15:43:06
A: 

You could just HtmlEncode the data. You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:

Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));

and to retrieve it:

myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());
Russ C  2010-05-26 15:41:08
@russ - this seems to go against this best practice off doing encoding in the view - http://stackoverflow.com/questions/2914062/where-should-i-encode-this-html-data-in-an-asp-net-mvc-site
ooo  2010-05-26 15:42:59
@russ - I just realized that tiny editor seems to do this for you so thats why i was confused why everything was working without me doing anything
ooo  2010-05-26 16:41:04
+2  A: 

I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.

string sqlIns = "INSERT INTO table (name, information, other) VALUES (@name, @information, @other)";

SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("@name", info);
cmdIns.Parameters.Add("@information", info1);
cmdIns.Parameters.Add("@other", info2);
cmdIns.ExecuteNonQuery();
Jeff Siver  2010-05-26 15:42:33
A: 

Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.

Hal  2010-05-27 02:05:40
... and I agree with OMG Ponies, et al., that you *really* need to make sure that you have a need to accept HTML into your db.
Hal  2010-05-27 02:06:56

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?