We are leasing our servers, and the owners are implementing netscaler security to help prevent sql injection attacks and cross-site scripting. I am working with a few applications, one in .NET 2.0 framework (VB.NET) and another in .NET 4.0 framework
(C#), both using oracle database. We have several text fields on several screens where users can enter free form text (ex., comments). My issue is I have tried to use the HttpUtilities HtmlEncode and UrlEncode in the .NET framework; I can encode and save
the data, and then retrieve it, decode and display it. However, we need to save it to the database not encoded, so basically I need to encode the data from the client side/web page, send it across the network, and before it writes to the database, decode it
and save it. I do not know if oracle has a tool that can be called from the application to encode, and then in the stored procedure level be able to decode and store the text 'as is'. I have not found anything where other users have had this same
issue. We have also tried using AntiXSS, but it does not account for the keywords that are being monitored (simple words and, or, join, minus, group, add, alter, etc. are considered keywords). Any input would be appreciated!
Thanks....