how to save html to a database field

Question

i have an tiny editor web page where my users can use this editor and i am saving the html into my database.

i am having issues saving this html to my database. for example if there is a name with a "'" or if there are other html character "<,",">" etc, my code seems to blow up on the insert.

Is there any best practices about taking any arbitrary html and have it persist fully to a db field without worrying about any specific characters.

Answer 1

Just reading through this - is your problem actually on the insert statement or do you get a problem from the web server before it ever hits your controller? Noticing that you tagged the question with asp.net-mvc, you may need to make sure that you have decorated your controller method with the [ValidateInput(false)] attribute.

Answer 2

I'm wondering if you are building the full query. Instead use a parameterized query and that should eliminate your data problems.

string sqlIns = "INSERT INTO table (name, information, other) VALUES (@name, @information, @other)";

SqlCommand cmdIns = new SqlCommand(sqlIns, db.Connection);
cmdIns.Parameters.Add("@name", info);
cmdIns.Parameters.Add("@information", info1);
cmdIns.Parameters.Add("@other", info2);
cmdIns.ExecuteNonQuery();

Answer 3

You could just HtmlEncode the data. You'll have a HttpContext.Current.Server object, so in pseudo code you'd just do:

Database.Save(HttpContext.Current.Server.HtmlEncode(myHtml));

and to retrieve it:

myHtml = HttpContext.Current.Server.HtmlDecode(DataBase.Load());

Answer 4

do you insert using SqlParameter? If yes, you should not have problems, check that.