encoding

samerh

Hi In asp.net website when writting inside textboxes html tags or single cote an error is generated " potentially dangerous Request.Form value was detected from the client ". I used to put in page directive of master page validaterequest=false and everything is ok. I have met someone who told me that this is not secure and can cause sql injection (but iam using stored procedures) or script injection. I have also read about enabling "Debug=true" directive at the top of the file that generated the error I also know that we can encode our text values and save them in sql as encoded using Server.HtmlEncode(txtName.Text)); but do i have in this case to write Server.HtmlEncode and decode when reading for every textbox i have and does it have any influence on loading time, does it take time???? plz advice and thanks

G K Singh

first thing using validaterequest=false is not secure is right. It may cause of script injection but sql injection can be used. Server.HtmlEncode will protect you for script injection. about the loading time you can check your self as: add: enabled="true" mostRecent="true" requestLimit="50" /> In your web.config file and... Then open trace.axd file by write in end of your url like: http://www.codeproject.com/script/Forums/Edit.aspx/trace.axd

Gaurav Kumar Singh Consultant (Asp.net)