August 15, 2013 at 11:44 am
Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?
August 15, 2013 at 12:02 pm
MSSQL_NOOB (8/15/2013)
Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?
I guess that depends on what the column is used for and more importantly how the information got there.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
August 15, 2013 at 12:09 pm
If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?
On the other hand, if it's there for an online form to display, then it should be okay, correct?
If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?
August 16, 2013 at 9:11 am
MSSQL_NOOB (8/15/2013)
If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?On the other hand, if it's there for an online form to display, then it should be okay, correct?
If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?
I think the data in your varchar() column would only raise SQL injection issues if you are building T-SQL batches as strings from the values in that column and then executing them. In that case, if someone managed to get a malicious string into that column and it was executed, you would have a problem.
If you're just retrieving the data in the column as part of query results that are returned to the client application, it should be fine to store strings with HTML tags in a varchar() column. I don't know of any security threats presented by this practice.
Jason Wolfkill
August 16, 2013 at 9:57 am
OK. Thanks for the clarification.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy