2

I am using Asp.NET MVC 3 with EF 4.1 With SQL Azure. I have both linq expressions as well as stored procedures.

Now, I need to allow all the special characters like "';&<>/ etc to be entered and save it in the database. But, when it is rendered, it should not render as HTML (ie, should be rendered as text). How can I prevent SQL injection and XSS attacks?

My concern is when we display in @Html.TextBoxFor or @Html.EditorFor or in a label? I don't want to compromise on the type of characters entered. Please suggest how to approach this?

Nick Andriopoulos
  • 10,313
  • 6
  • 32
  • 56
user1999616
  • 61
  • 1
  • 9
  • 1
    Do you have a development station/database for which you can try some of these things? Afaik, since you're using EF, there's no reason to worry about sql injection *except where you're not using EF* (or where you're not using sql parameters or whatever). For instance, do any of your stored procedures generate and execute any sql? Check them. Similarly, *I think* the contents for editors and labels generally are html encoded, which means the contents *will be rendered as text* when the page is interpreted as html. I suppose it would be nice to verify that they htmlencode, though. – JayC Mar 21 '13 at 17:46

0 Answers0