Examples

Current Articles | Categories | Search

Replacing Unsafe System.Web HttpUtility.HtmlEncode with SAFE SQL CLR User-Defined Function
By Jonathan Kehayias @ Monday, July 21, 2008 8:13 AM :: 2544 Views :: 0 Comments

I have seen a number of posts on various forums regarding issues with loading the System.Web assembly as Unsafe in SQL Server so that the HttpUtility.HtmlEncode/HtmlDecode method can be used to encode/decode an input for usage. The following function can be cataloged as SAFE in SQL Server and does exactly the same things that the Method in System.Web does for the HtmlEncode.

 

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Globalization;
using System.Text;
 
public partial class UserDefinedFunctions
{
    [Microsoft.SqlServer.Server.SqlFunction]
    public static string HtmlEncode(string s)
    {
        if (s == null)
        {
            return null;
        }
        int num = IndexOfHtmlEncodingChars(s, 0);
        if (num == -1)
        {
            return s;
        }
        StringBuilder builder = new StringBuilder(s.Length + 5);
        int length = s.Length;
        int startIndex = 0;
    Label_002A:
        if (num > startIndex)
        {
            builder.Append(s, startIndex, num - startIndex);
        }
        char ch = s[num];
        if (ch > '>')
        {
            builder.Append("&#");
            builder.Append(((int)ch).ToString(NumberFormatInfo.InvariantInfo));
            builder.Append(';');
        }
        else
        {
            char ch2 = ch;
            if (ch2 != '"')
            {
                switch (ch2)
                {
                    case '<':
                        builder.Append("&lt;");
                        goto Label_00D5;
 
                    case '=':
                        goto Label_00D5;
 
                    case '>':
                        builder.Append("&gt;");
                        goto Label_00D5;
 
                    case '&':
                        builder.Append("&amp;");
                        goto Label_00D5;
                }
            }
            else
            {
                builder.Append("&quot;");
            }
        }
    Label_00D5:
        startIndex = num + 1;
        if (startIndex < length)
        {
            num = IndexOfHtmlEncodingChars(s, startIndex);
            if (num != -1)
            {
                goto Label_002A;
            }
            builder.Append(s, startIndex, length - startIndex);
        }
        return builder.ToString();
    }
 
 
    private static int IndexOfHtmlEncodingChars(string s, int startPos)
    {
        char[] chars = s.Substring(startPos).ToCharArray();
 
        for (int i = 0; i < chars.Length; i++)
        {
            char ch = chars[i];
            if (ch <= '>')
            {
                switch (ch)
                {
                    case '<':
                    case '>':
                    case '"':
                    case '&':
                        return (startPos + i);
 
                    case '=':
                        break;
                }
            }
            else if ((ch >= '\x00a0') && (ch < 'Ā'))
            {
                return (startPos + i);
            }
        }
        return -1;
    }
 
};
Posted @ Monday, July 21, 2008 8:13 AM by Jonathan Kehayias
Rate This Article Page: 1 of 1
Previous Page | Next Page
Comments
Currently, there are no comments. Be the first to post one!
You must be logged in to post a comment. You can login here

Survey

Which of the following CLR objects are you currently using in SQL Server?
Submit Survey  View Results

Links

  Search

What's New

 Subscribe in a reader

Q&A with Adam Machanic - Who's Afraid of SQLCLR by Jonathan Kehayias

You could almost hear the gasps of horror when Microsoft integrated the .NET Common Language Runtime (CLR) into SQL Server 2005. Run C# or VB.NET code inside SQL Server? For many database developers and administrators, it was like an alien had just burst through SQL Server’s midsection.

But SQL Server MVP Adam Machanic says that more and more developers and DBAs are discovering that far from destroying SQL Server performance and security, SQLCLR is actually a powerful ally in solving complex business and technical problems.

Read More on the PASS website..
SQLCLR String Splitting Part 2: Even Faster, Even More Scalable by Site Administrator

SQL Server MVP Adam Machanic shows a new way of parsing strings in SQL Server using SQLCLR that outperforms all conventional TSQL methods, as well as the most common SQLCLR implemenations, using a custom split function that allows streaming of the results.
Trading in xp_cmdshell for SQLCLR (Part 1) - List Directory Contents by Jonathan Kehayias

Learn how to use SQLCLR to get file system information instead of using xp_cmdshell on your SQL Servers.

Recent Examples


Copyright 2007 by SQLCLR.net Terms Of Use Privacy Statement
Website graphics provided by Matt Green Designs
Page generated in 0.187206 seconds.

All information and example code on this site is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from its use.

This site is in no way affiliated with Microsoft. Unless specifically stated otherwise, nothing should be construed to represent the official positions or opinions of Microsoft and/or its Employees.