NathanW
going with the flow
Posts:45
 |
| 11-13-2012 01:39 AM |
|
DF 4.10.0 is driving me mad because every time I have a form that is using an HTML field that gets written to a database field DF decides to change some of the HTML text to include ### and I cant stop it happening and it is killing my clients data and my time because I have to manually edit the database to remove the ###. This was working fine before 4.10 and I have changed the SQL inserts to use stored procedures and it is still happening.
For example if you have "hello world" DF changes this to "hello ###;###world" but its seems to do it for other things as well.
Please please please can you look at this as if I cant resolve this soon I am going to look at using some other form module because my client is going nuts.
I am using DNN 6.1 and DF 4.10.0.
thanks
Nathan
|
|
|
|
|
Ryan Bakerink
river guide
Posts:1900
|
| 11-13-2012 05:30 AM |
|
Hello Nathan,
I know that Dynamic Forms has a SQL Injection method involved with values within Questions.
Words like:
Select
Count
Update
Delete
Drop
etc..
Will invoke the SQL injection method, and this method places "###" around the text on both sides. I've even seen where "Country" throws this issue, because "Count" is within Country.
Did you create your own SQL Completion Event to save to a custom table you've created? I'd recommend using the T-SQL Replace() function.
Select Replace('$(HTMLTokenName)', '#', '');
Using a SQL Statement above is demonstrating how to take the entire value, search for a certain pattern of text and replace it will the value in the far right parameter of this function.
Please let me know if this makes sense or if you have any questions.
Thanks,
Ryan
|
|
|
|
|
Chad Nash
Posts:5260
|
| 11-13-2012 07:57 AM |
|
Yes, Ryan suggestion works... You could even change this out to be ### replaced with ''.
Select Replace('$(HTMLTokenName)', '###', '');
You could either update this within a SQL Event or use stored procedure and handle the replace statement before the data ever goes in the database.
We had to add these precautions related to certain security words because we were able to replicate/duplicate some very serious security incidents that were brought to our attention. We might later add an option to turn off this check however it is not recommended.
Thanks,
Chad
|
|
|
|
|
NathanW
going with the flow
Posts:45
|
| 11-14-2012 10:13 PM |
|
Will this just be on HTML fields or also text fields? |
|
|
|
|
Ryan Bakerink
river guide
Posts:1900
|
| 11-15-2012 05:17 AM |
|
Hello Nathan,
I've seen this behavior in Multi-lined textboxes, textboxes, Text/HTML and Combo Boxes(since there's an option to allow a user to add there own item).
It's possible that Radio Buttons, Checkboxes, etc.. may also use this SQL injection precautionary procedure.
Please let us know if you have any questions.
Thanks,
Ryan |
|
|
|
|