HTML Encoding with ASP.NET

Question

I am currently html encoding all user entered text before inserting/updating a db table record. The problem is that on any subsequent updates, the previously encoded string is reencoded. This endless loop is starting to eat up alot of column space in my tables. I am using parameterized queries for all sql statements but am wondering would it be safe to just let the .NET Framework handle this part without the HTML Encoding?

Answer 1

you can save input with encode , and at the time of update decode it then update it and again save using encode and at the time of show do not need to do anything... this will give one benefit .. do not need to encode again and again at show time... but a problem may be you want to change at rowdatabound then u would have to decode then change and encode again :) :) happy coding

Answer 2

I wouldn't recommend encoding the data in the database.

The encoding has nothing to do with the data but it specifically targetted at how you are displaying the data. What if you want a client app to use this data in the future or some other non-HTML display?

You should be storing the data as the raw data in your tables and the applications, or the layer that services applications should handle the encoding to whatever formats are required.

The .NET framework can easily do it for you. Just remember to use HtmlEncode or in ASP.NET 4 <%:. You should be doing this for ANY data that you need to present that is dynamic.

Storing it in the database encoded will not only cause you problems today but on going in the future.

Answer 3

You should always HTML encode user data upon displaying, never upon storing. Save the user input in DB (using parametrized queries or whatnot to prevent SQL injection) and then HTML encode when outputting the data. That way you'll never have this problem.

HTML encoding is built into the ASP.NET framework real simply. This is how you do it:

<!-- ASP.NET 3.5 and below -->
<%= Html.Encode(yourStuff) %>

<!-- ASP.NET 4 -->
<%: yourStuff %>