I have a web application where users are permitted to submit their resumes. When the form is submitted, the data is inserted into a new record in an SQL table.
One of the fields in the form allows them to copy and paste their entire resume text into a TextBox control, which is inside the InsertItemTemplate of a FormView. This particular control is bound to a column in the SQL table that's of datatype nvarchar(MAX).
It works, but there are no line breaks and when viewed the resume is just one long continuous block of text.
How can I change this so that line breaks are preserved?
Do I need to use something like a "cute editor" control?
And finally, how do I protect against malicious code? The insert query is parameterized, and the FormView refers to an insert method in a TableAdapter in my dataset.
Line breaks in Textbox control is just line notepad - they represented by carriage returns, not the HTML <br> tags.
When displaying in html, just do a replace... resumeText.Replace("\n","<br/>")
Using the textbox is safer than "cute editor" as it prevents the ability for users to input html format which may contain malicious client side script and poorly formatted html. Just need to do proper replacing of single quotes which the equivalent "&039;".
Single quotes in the query string are dangerous for sql injection. Also strip any html tags from the content.
Thanks for the explanation.
Just curious, though, how come the "\n" doesn't appear in the output?
Should I do the substitution in the code behind of the page that displays the resume?
And the other replacements you mention....where would that happen? In the INSERT query itself?
I tried this:
And got an error:
Server Error in '/' Application.
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.
Compiler Error Message: CS1061: 'object' does not contain a definition for 'Replace' and no extension method 'Replace' accepting a first argument of type 'object' could be found (are you missing a using directive or an assembly reference?)
Line 16: <p><asp:Label ID="date_postedLabel" runat="server" Text='<%# Convert.ToDateTime(Eval("date_posted")).ToShortDateString() %>' /></p>
Line 17: <p><asp:Label ID="categoryLabel" runat="server" Text='<%# Eval("category") %>' /></p>
Line 18: <p><asp:Label ID="resumeLabel" runat="server" Text='<%# (Eval("resume")).Replace("\n","<br />") %>' /></p>
Line 19: <p><asp:Label ID="fileLabel" runat="server" Text='<%# Eval("file") %>' /></p>
Line 20: </ItemTemplate>
Source File: e:\Ed data\clients\Maine Innkeepers\MIA website 2010\Maine Innkeeper Site 2010\member\resume-detail.aspx
What am I doing wrong here?
OK, I have this working now, for some reason I had to add .ToString() to resolve the error:
<asp:Label ID="resumeLabel" runat="server" Text='<%# Eval("resume").ToString().Replace("\n","<br />") %>'/>
Thanks for the help.
Still curious about the second part of my question, though, regarding where to check the string before the insert happens.
If you're worried about malicious code, then use a Stored Procedure to store data back to the database. Stored Procedures will take the values as they are w/o processing anything as extra code.
Or you could go through and remove any database keywords of the Resume like DELETE or UPDATE and removing ;'s on the coding side of things before the database gets updated.
Alternative way, if the user resume included html format, you can also consider to use some editor control, like
richtextbox. Use these control, you do not care about the format of user input.
how do I protect against malicious code
Use parameterized value can prevent the sql injection attack to a great extent. You do not very worried about this.
And about script attacks. You can also use page validateRequest=true or server code Server.HtmlEncode to detete and encode user input before insert to database.
More information about Injection Attacks you can check these useful articles:
Hope this can help you.