using linq to sql and HtmlEncode

Question

I am using linq-to-sql to load and save data to database. Since most of the data to save or load is user input and to avoid all possible risks of saving raw data, i decided to HtmlEncode the input.Here is the summary of what I do

1. Encode the input before saving it to the database.
2. Decode the input to be able to manipulate the raw data.
3. re-Encode the input for display to the user.

The problem is that I had to create another business object to convert the data I get from the database to the actual raw data the user entered, thus rendering my linq business object somewhat useless.

Am I doing something wrong? Do I really need to convert the data on its way to the database if I am using ling to sql?

Answer 1

It sounds like you should store the data raw in the database, and then always encoded it before displaying it to the user. You do not have to worry about SQL injections when you're using LINQ to SQL, since it is using parameterized queries behind the scenes.

Answer 2

Just store the raw HTML into your database, and use HTMLEncode() (or even better, Microsoft's Anti-Cross Site Scripting Library's HTMLEncode() method) when you're displaying it publicly.

http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en