Cause of concern?

  • Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?

  • MSSQL_NOOB (8/15/2013)


    Is there a cause for concern if one of the tables in SQL2008 has a VARCHAR field. And in that field, the "data" stored is HTML tags?

    I guess that depends on what the column is used for and more importantly how the information got there.

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

  • If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?

    On the other hand, if it's there for an online form to display, then it should be okay, correct?

    If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?

  • MSSQL_NOOB (8/15/2013)


    If it's inserted from an online form, there's a cause for concern because, if you can insert HTML tags, you can insert sql injection / cross site scripting?

    On the other hand, if it's there for an online form to display, then it should be okay, correct?

    If my statements above are correct, is there a way on the database side to ensure it's for SELECT only and not INSERT / UPDATE?

    I think the data in your varchar() column would only raise SQL injection issues if you are building T-SQL batches as strings from the values in that column and then executing them. In that case, if someone managed to get a malicious string into that column and it was executed, you would have a problem.

    If you're just retrieving the data in the column as part of query results that are returned to the client application, it should be fine to store strings with HTML tags in a varchar() column. I don't know of any security threats presented by this practice.

    Jason Wolfkill

  • OK. Thanks for the clarification.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply