0

I have text area,where user can enter some description.I need save this input with linebreaks to database.User also can enter some html tags,but this tags should be as plain text.

For example user enter this text:

a b(click enter)   
c d <p>f</p>

What is the best way save this text to database.

1. "a b<br/>c d <p>f</p>"
2. "a b \r\n c d <p>f</p>"
3. "a b &lt;br/&gt;c d &lt;p&gt;f&lt;/p&gt; "

It will be displayed as not HTML.

vborutenko
  • 4,323
  • 5
  • 28
  • 48
  • 2
    With the first one, you can display it directly in an html page. With the others, you need to parse it with PHP and replace caracters. So I think the first one is better. – Alarid May 06 '13 at 14:51
  • It depends on what you want to do with it. If it will be displayed as HTML then the first one will suffice. However, if you are sure you never want HTML, the third option is the best. – Jonathan May 06 '13 at 14:54
  • the above 2 comments will lead to xss attack – maxisam Feb 21 '14 at 20:16

1 Answers1

0

This is a discussion around Escaping characters. The simple answer is:

http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx

If you are saving this via a webserver with Javascript, you may have to roll you own encoder:

HTML-encoding lost when attribute read from input field

The bigger conversation around encoding is important, Where will you have encoders and decoders available? Will you just hit HTML, or should you include JS as well. I would if you have users adding values to your DB.

Also you will still want to scrub your inputs depending on how you add your data to the DB to prevent SQLInjection.

HTH

Community
  • 1
  • 1
Paul Shriner
  • 538
  • 3
  • 9
  • negative. HTMLencode have problems still. you cannt use HtmlEncode in label and singlemode textbox. the best way is still: http://stackoverflow.com/questions/4883613/asp-net-text-with-linebreak-from-multi-line-textbox-to-save-in-a-database – mohsen solhnia Oct 06 '15 at 19:04