Html Encode when data is inputed? Or Outputed or both?

Question

Hi

Just wondering should I encode all the data before I put in to the database or when I display it to the user? Or Both.

Right now I do it when I display to the user. I am using asp.net mvc 2.0 so I usually just make everything <%: %> what does encoding for me.

I am not sure with both though it might be a little extreme to do it to times.

Also I really only have to watch out for user inputed string right?

Like I just ran into a problem where one of my plugins could not for some reason figure out how to sort dates if the date was html encoded.

I just made it encoding without thinking. Now that someone pointed it out to me it makes little sense to do this since I get the date right out of the database and in the database it is stored as a datetime. So can't really store javascript in there.

So I am guessing I really don't have to encode these (correct me if I am wrong)

int,bit(bools), dataetimes, decimals types if there stored in the database as this way.

I might still encode them just for the heck of it if it does not effect any of my plugins but it's good to know that I probably don't have to.

Answer 1

In most cases you should not have to HTML-encode data when you store it in your database. As you've noted yourself, for most data types (ints, dates, etc) it's better (i.e. more performant, works with other systems, etc) to save it unencoded.

The one case you do need to worry about are strings that come from an external source (like the end-user). Even in this case it should be sufficient to store the data unencoded and use <%: ... %> to encode once the data is returned to a browser. You should only consider encoding the string if it's coming from some markup-enabled user control (like TinyMCE text editor or something similar).

Also alway be careful to protect yourself from SQL injection attacks. You should verify that a piece of data that's meant to represent a date is actually a date before you try to send it to your database.