Battle against the Quotes

Hi

Just wanted to see what the standard battle plan is when you want to allow a
user to enter a retrieve data from an ASP/DB solution and the infernal
single or double quote issue comes up if they've been entering these chars.

For example, I have a web form that is simply:

Name:

Desc:

etc...

End user enters the following into the boxes:

Name: Paul O'Malley

Desc: Paul O'Malley's leg is 3" shorter than it's standard length.

I use the replace command to 'escape' these quotes before I submit them into
the Access DB so there is no issue there, but when the user wants to go into
the 'Modify Details' form and retrieve these details to mod them its the
good old HTML that falls foul of the quotes.

Because the VALUE part of the INPUT text box has to be either VALUE="<%the
name%>" or VALUE='<%the name%>' to encapsulate the data, whichever I choose
the end user will always find a way of goofing it up.

For example, if they have typed in 'Paul O'Malley's leg is 3" shorter than
it's standard' in the Name field and my VALUE used double quotes then all it
is going to show is:

Paul O'Malley's leg is 3"

If I use single quotes then all it is going to show is:

Paul O

Do I take it that I should do another replace on the way in so that the data
is 'escaped' again before being dropped into the text box? Is there a
better way?

Thks

Re: Battle against the Quotes

HtmlEncode the values you trying to display.

Bob Lehmann

"Macsicarr" wrote in message
news:%2373ZxZ3QFHA.4020@tk2msftngp13.phx.gbl...
> Hi
>
> Just wanted to see what the standard battle plan is when you want to allow
a
> user to enter a retrieve data from an ASP/DB solution and the infernal
> single or double quote issue comes up if they've been entering these
chars.
>
> For example, I have a web form that is simply:
>
> Name:
>
> Desc:
>
> etc...
>
> End user enters the following into the boxes:
>
> Name: Paul O'Malley
>
> Desc: Paul O'Malley's leg is 3" shorter than it's standard length.
>
> I use the replace command to 'escape' these quotes before I submit them
into
> the Access DB so there is no issue there, but when the user wants to go
into
> the 'Modify Details' form and retrieve these details to mod them its the
> good old HTML that falls foul of the quotes.
>
> Because the VALUE part of the INPUT text box has to be either VALUE="<%the
> name%>" or VALUE='<%the name%>' to encapsulate the data, whichever I
choose
> the end user will always find a way of goofing it up.
>
> For example, if they have typed in 'Paul O'Malley's leg is 3" shorter than
> it's standard' in the Name field and my VALUE used double quotes then all
it
> is going to show is:
>
> Paul O'Malley's leg is 3"
>
> If I use single quotes then all it is going to show is:
>
> Paul O
>
> Do I take it that I should do another replace on the way in so that the
data
> is 'escaped' again before being dropped into the text box? Is there a
> better way?
>
> Thks
>
>
>

Re: Battle against the Quotes

stupid solution for a stupid question

variable=request.form("textarea")

variable=replace(variable, "'", "''")


have fun


*** Sent via Developersdex http://www.developersdex.com ***

Re: Battle against the Quotes

preet wrote:
> stupid solution for a stupid question
>
> variable=request.form("textarea")
>
> variable=replace(variable, "'", "''")
>
>
> have fun
>
That's the wrong answer, so you may wish to reconsider that "stupid" comment
....

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"