The .net app I am working on encounters an error when a user enters opening angle brackets "<" as input. Specifically this occurs when they want some sort of html input such as <a href="www.google.com">Google</a>
I've tried the exact same input without the "<" and everything works exactly as it should. The input is being read from an asp:TextBox and added as a parameter to an SQL INSERT INTO statement. I am using a try catch block to catch SqlException's, but this particular problem is not even caught when I change catch statement to catch(Exception err). I know "<" is used as the less than operated in SQL however, it shouldn't be a problem because the input is a parameter right? Why would it only be the "<" and not ">" which also are in the input since both characters are valid SQL operators? Here is the actual code snippet.
try
{
SQL_Command.Connection = SQL_Connection;
SQL_Command.CommandText = "INSERT INTO tabl1 ([ID], [fName], [lName], [bio]) VALUES (@ID, @First, @Last, @Bio)";
SqlParameter ID, First, Last, Bio;
ID = new SqlParameter("@ID", id_text.Text);
First = new SqlParameter("@First", firstName_Text.Text);
Last = new SqlParameter("@Last", lastName_Text.Text);
Bio = new SqlParameter("@Bio", bio_Text.Text);
SQL_Command.Parameters.Add(ID)
SQL_Command.Parameters.Add(Last)
SQL_Command.Parameters.Add(First)
SQL_Command.Parameters.Add(Bio)
SQL_Command.ExecuteNonQuery();
}
catch (Exception err)
{
Response.Write(err);
}
The schema for this table is:
ID int NOT NULL
fName nVarChar(255)
lName nVarChar(255)
bio nVarChar(MAX)
The error message your are getting is most likely the result of ASP Net protecting your site against a cross site scripting attack. The opening of the angle bracket looks suspicious, because you may be injecting malicious javascript or HTML onto the page. This question has been answered before at this link: A potentially dangerous Request.Form value was detected from the client
Hope that helps !