SQL injection in form

Conor Dunk asked on January 11, 2017 10:09

Hi,

I'm concerned of the level of security in place on the forms we have built, I can submit an empty script tag, when we build forms for non kentico sites, we throw a 500, is there any built in functionality to handle this?

Thank you, Conor

Recent Answers

Jan Hermann answered on January 11, 2017 10:15

It depends on a form control you are using, however the input is not rendered anywhere by default so the script wouldn't be triggered.

Each form control also allows you to specify a validation, that could look for script tags and then display some validation error that also prevents the form from being submitted or you can do this in the code of a form control and throw some other error instead.

0 votesVote for this answer Mark as a Correct answer

Conor Dunk answered on January 11, 2017 10:40

If someone submitted a form with a script inside would it not then be rendered on the admin in the recorded data section?

0 votesVote for this answer Mark as a Correct answer

Jan Hermann answered on January 11, 2017 10:45

In that section everything gets encoded, so you don't have to worry about it there.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.