HTML编码与ASP.NET [英] HTML Encoding with ASP.NET

问题描述

我目前插入HTML编码之前，所有用户输入的文本/更新数据库表的记录。问题是，在任何后续更新中，previously EN codeD字符串颖codeD。这个死循环开始吃起来的列空间很多我的表。我使用参数化查询对所有SQL语句，但我知道这将是安全的，只是让.NET框架处理这部分没有HTML编码？

I am currently html encoding all user entered text before inserting/updating a db table record. The problem is that on any subsequent updates, the previously encoded string is reencoded. This endless loop is starting to eat up alot of column space in my tables. I am using parameterized queries for all sql statements but am wondering would it be safe to just let the .NET Framework handle this part without the HTML Encoding?

推荐答案

您应当在HTML总是带code用户数据的显示的，从来没有在的存储的。保存DB用户输入输出数据时（使用参数化查询或诸如此类的东西，以prevent SQL注入），然后HTML EN code。这样，你永远不会有这个问题。

You should always HTML encode user data upon displaying, never upon storing. Save the user input in DB (using parametrized queries or whatnot to prevent SQL injection) and then HTML encode when outputting the data. That way you'll never have this problem.

HTML编码内置到ASP.NET框架真正简单。这是你如何做到这一点：

HTML encoding is built into the ASP.NET framework real simply. This is how you do it:

<!-- ASP.NET 3.5 and below -->
<%= Html.Encode(yourStuff) %>

<!-- ASP.NET 4 -->
<%: yourStuff %>

这篇关于HTML编码与ASP.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！