Hello,

I was Wondering if the text data-type in SQL Server 2000 can store HTML or not? I mean can I store html in sql server?

 when I tried that in the admin pages of the news module I got the following exception.
---------------
An unexpected error has occurred in this Application. The system administrators have been notified. Please feel free to contact us with the information surrounding this error.
The error occurred in: http://localhost/ThePhile/Modules/Ne...x?CategoryID=2
Error Message: A potentially dangerous Request.Form value was detected from the client (NewsGrid:_ctl3:EditBody="...s
----------------
so what's the story of this excpetion???
Thanks
Marenela

Of course you can store HTML in SQL Server. But you can't send submit some dangerous HTML tags to a web page.

This is done to prevent Cross-Site Scripting (XSS) attacks against web sites.

You can disable this with ValidateRequest="false" in the Page directive, but you must never do this on a production system! This could allow a hacker to steal a security cookie by inserting a JavaScript routine into your web page.

Eric

Ok. I need to disable it only in the administration page of the news module and no one (except administrators) will log into this pages. what do you think?
Thanks
Marenela

That sounds like a pretty good idea. It's safe if it's only for pages that require admin priviledges.

Eric

Hello Eric,

 I put ValidateRequest="false" is the page directive of the shownews.aspx in the news module and I still get the same exception. so why?
Thanks
Marenela

I'm new to ASP.NET and am having a similar problem. However, what is the "Page directive" and/or what is the proper syntax of entering it? When I enter it in my code, I get the following error: BC30451: Name 'validateRequest' is not declared.


Shea Ellison
Strategic Internet Consulting
Creating Measurable Value Through Your Internet Presence
Office Direct Line: 770-454-1190
Voicemail/Fax: 888-227-4979
www.strategic-internet.com

Shea - This should only be used in special cases. You should NOT do this unless you have a functional requirement to post HTML tags to an .aspx page. This web site works fine without this setting. I don't have this setting on any of my pages.

Marenela - I think you put it on the wrong page. Which page are you trying to post back to? Shownews.aspx is not used to receive inputs from the user. I think you want to try it on SubmitNews.aspx.

This ValidateRequest feature is only used to prevent users from submitting HTML tags as text input in a page. Pages that don't accept text input won't be affected by this setting.

If anyone doesn't understand the security ramifications of doing this, then please do NOT do this. This is very dangerous. Marenela only wants to do this on restricted pages, so I relunctantly went along with this.

I think there are better ways of sending HTML keys to a database. Why not use a Windows Forms application to update your SQL Server database if you want HTML to be entered by administrators? You can make a much nicer application using Windows Forms - the only downside is that it doesn't work in a web browser. But it DOES work remotely, and you should be able to connect to a remote SQL Server database this way. You could get creative and make this into a SmartClient application that DOES get launched from a Web Browser accross the Internet. The only downside of a SmartClient app is that users need the .NET Framework on their computer. This is easy to enforce for administrators.

Eric

Hello Eric,

 So I can log remotely to SQL Server 2000? Great but tell me. Do I know knowledge of remoting? or just work as local and put the server name and address in the connection string?
Thanks,
Marenela

You have to configure the SQL 2000 Client Network Utility, and then modify your connection string. This is not the same thing as .NET remoting.

Eric