ASPX/SQL problem

CycloWizard

Lifer
Sep 10, 2001
12,348
1
81
I'm using an Access database and C# for coding. The database containts four fields: a number, two texts, and a memo (in that order). My insertion command is in the attached code below.

The problem is that I can post something ridiculously long, as long as there is no html code in the text. The second I add any html to the text, I throw an exception as soon as the post length exceeds 255 characters. Any ideas?
 

lansalot

Senior member
Jan 25, 2005
298
0
0
Here's an idea: don't allow SQL to do stuff other than via parameters passed to a stored procedure. Don't do this build-a-command-in-text thing, it's plenty bad...
 

CycloWizard

Lifer
Sep 10, 2001
12,348
1
81
Originally posted by: lansalot
Here's an idea: don't allow SQL to do stuff other than via parameters passed to a stored procedure. Don't do this build-a-command-in-text thing, it's plenty bad...
As I understand it, the only thing SQL is actually doing is storing whatever the code gives it in the database. I'm not sure what alternatives exist to the method I'm using, but maybe you could be so kind as to enlighten me? I'm not much of a programmer.
 

torpid

Lifer
Sep 14, 2003
11,631
11
76
You are saying that the memo field allows any amount of text as long as it contains no HTML? Or what?

The point he's trying to make above is that your code as written is highly vulnerable to SQL injections. Ideally the solution is to use a parameterized sql like this: Insert into Items Values(?, ?, ?, ?) and then attach OLEDBParameters to the OLEDBCommand before executing.

Are you do stuff like replacing single quote with double quote to prevent malformed SQL? Also, allowing HTML characters into posts itself is very problematic, because they could do some pretty sneaky stuff with their posts. That is why almost all places where you can post things use special codes and disallow html, or at the least only allow certain html tags.
 

CycloWizard

Lifer
Sep 10, 2001
12,348
1
81
Originally posted by: torpid
You are saying that the memo field allows any amount of text as long as it contains no HTML? Or what?
Yeah, the memo field will allow as many characters as I want unless it has html (up to 65,000 or whatever the field limit is in Access).
The point he's trying to make above is that your code as written is highly vulnerable to SQL injections. Ideally the solution is to use a parameterized sql like this: Insert into Items Values(?, ?, ?, ?) and then attach OLEDBParameters to the OLEDBCommand before executing.
OK, I think I see what you're saying here. I'm not familiar with the OLEDBParameters and so on, but I can read up on that. Thanks for pointing me in the right direction.
Are you do stuff like replacing single quote with double quote to prevent malformed SQL?
Yeah... Single quotes denote text/memo fields in Access, while those without are any other form. I asked about that here quite a while ago. I finally got a chance to work on it again. :p
Also, allowing HTML characters into posts itself is very problematic, because they could do some pretty sneaky stuff with their posts. That is why almost all places where you can post things use special codes and disallow html, or at the least only allow certain html tags.
I understand the security concerns with allowing html, so I made it so only someone with my username can post using this form. In addition, all other forms have validateRequest="true", while on this one I set validateRequest="false". Basically, it's a way for me to allow myself to post html (links, pics, whatever) and not anyone else, which I think is pretty safe, barring someone gaining access to my account. I'm sure there's a better way to do this, but I just want something that works. It's just my personal blog/message board, so it doesn't need to be terribly efficient or flexible.

Thanks for the help. :beer: I'll see if I can't figure out some of the parametrization stuff when I get some more time to work on it.