Is there any security risk that has to be managed in text being stored for later viewing?

Go To StackoverFlow.com

1

I want to have a "contact us" on my site such that a user can type in a textbox and when he clicks "submit" – it will be stored for later viewing by me.

Is there any danger of injection here?

2012-04-03 20:51
by ispiro
When you save the content of the text box.. how are you saving it? For example, you can save it to an xml or text file.. there's no need to store it in a database. Is that a requirement - divamatrix 2012-04-03 20:55
Thanks. No. Any way would be fine. (Would you recommend some specific way? - ispiro 2012-04-03 20:59


1

The injection may happens on two places.

  • When you show this input in an html page.
  • When you save it.

So if you save it an an sql server you save it using variables/parameters*, if you save it on an xml you save it using HtmlEncode.

When you see that data, if you see them on an html page use HtmlEncode, if you just read it in a text file, then no worry :)

[*] How To: Protect From SQL Injection in ASP.NET

More details for html Encode and Anti Cross Site Scripting Library:

http://msdn.microsoft.com/en-us/security/aa973814

http://msdn.microsoft.com/en-us/library/ff649310.aspx

2012-04-03 20:59
by Aristos
Thanks. Very clear - ispiro 2012-04-03 21:04
Is there a reason I would want to store it any way other than a text file - ispiro 2012-04-03 21:04
@ispiro Depend from what information you like to keep and how... a text file is good in many simple cases - Aristos 2012-04-03 21:06


1

Probably yes, but it depends on where you store your text.

If it's in an SQL data base, you have the risk of SQL injection for example. You should use you're environment's SQL escape function.

For example, with php + mysql you can use mysql_real_escape_string. Most technical environments provide a standard way to escape strings properly before persistence.

2012-04-03 20:57
by Samuel Rossille


0

From a security point of view, our Web forms are naked and 100% vulnerable. We need to look at all the ways data is passed to them and test as appropriate:

* Form Fields
* URL Query Strings
* Cookies
* Database
* ViewState

The most prevalent forms of attack seem to be Script Injection, Cross Site Scripting and SQL Injection. As for SQL Injection, this can be mitigated against by using parameterized queries. It is the act of parameterizing the database queries that make stored procedures so resilient to attack. The other forms of script attack can be handled by downloading and using the Microsoft Anti-Cross Site Scripting Library in your Web application projects.

Security Runtime Engine VS AntiXSS Library

Microsoft Web Protection Library

2012-04-03 21:07
by IrishChieftain