August 15, 2013 at 11:44 am
Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?
August 15, 2013 at 12:02 pm
MSSQL_NOOB (8/15/2013)
Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?
I guess that depends on what the column is used for and more importantly how the information got there.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
August 15, 2013 at 12:09 pm
If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?
On the other hand, if it's there for an online form to display, then it should be okay, correct?
If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?
August 16, 2013 at 9:11 am
MSSQL_NOOB (8/15/2013)
If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?On the other hand, if it's there for an online form to display, then it should be okay, correct?
If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?
I think the data in your varchar() column would only raise SQL injection issues if you are building T-SQL batches as strings from the values in that column and then executing them. In that case, if someone managed to get a malicious string into that column and it was executed, you would have a problem.
If you're just retrieving the data in the column as part of query results that are returned to the client application, it should be fine to store strings with HTML tags in a varchar() column. I don't know of any security threats presented by this practice.
Jason Wolfkill
August 16, 2013 at 9:57 am
OK. Thanks for the clarification.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply