escape character on text from a recordset field

23 views
Skip to first unread message

SteveMets

unread,
Jun 24, 2009, 4:31:34 PM6/24/09
to asp-ajaxed
Hi,

Is there a string method or other function to get an RS to pull in the
text from a field so that an entery such as Bob's Cakes will render as
Bob's Cakes, and not Bob? Need to account for this and any other
special characters (these seem to post fine with the db.update and
db.insert, but get truncated because of improper escape characters)

Michal Gabrukiewicz

unread,
Jun 24, 2009, 10:19:40 PM6/24/09
to asp-ajaxed
yes there is..
every output you display to the user should go through the str.HTMLEncode() method ... there is a short form which allows you to do it just with str("bob's value")

in an input field like that then

<input type="text" value="<%= str("bob's value") %>">

if you want to remember the own value on postback then probably the following helps you too:

<input type="text" name="firstname" value="<%= str(page.RF("firstname")) %>">
--
michal

SteveMets

unread,
Jun 25, 2009, 10:36:13 AM6/25/09
to asp-ajaxed
Hi,

I am using the code below:

Contact=Trim(str(RS.Fields("SchoolContact")))

I tried the full str.HTMLEncode() method before I posted the
question, and the results seem to be the same- I am still getting the
same result, in that the text trailing after ' (apostrophe) are
truncated. It's curious bcause if I type the text in the input text
box and submit it, all special characters are inserted/updated into
the database.

On another topic, I've added a couple of Validators- they seem to
work- and prevent the update and write the error on screen. However,
the values on the page are lost. I want the screen to have the values
maintained, and the postback clears the input text boxes and stops the
values from being re-rendered:

if page.isPostback() then
txtName=page.RF("Name2")
txtPhone=page.RF("Phone2")
txtEmail=page.RF("Email2")
SSLBool = page.RFHas("ChkAddSchool")
SiteID = "SiteCode='" & page.QS("SiteCode") & "'"

set v = new Validator
if Len(txtName) >10 then
v.add "contactname", "contact name is too long, you fool!"
End If
if v then
updated = db.update("RegForm", array("ContactPhone",
txtPhone,"SchoolContact", txtName, "ContactEmail", txtEmail,
"SchoolLevelLANA", SSLBool), SiteID)
response.redirect("confirmationSLL.htm")
else
str.write(v.getErrorSummary("<ul>", "</ul>", "<li>", "</li>"))
end if
else
... this is the original page render code before postback .

I've reviewed the validator API, but it's presented as a fragment- any
suggestions of where and how to place code that will
keep the values, or prevent them from being cleared. One of the major
issues I have with ASP is that you can not set the value of an element
such as an input text box, so even if I stored the values in session
or other means, I can't use them. Thanks for your advice walking me
through this. I have been able to make almost all of it work due to
your help.


On Jun 24, 9:19 pm, Michal Gabrukiewicz <mga...@gmail.com> wrote:
> yes there is..
> every output you display to the user should go through the str.HTMLEncode()
> method ... there is a short form which allows you to do it just with
> str("bob's value")
>
> in an input field like that then
>
> <input type="text" value="<%= str("bob's value") %>">
>
> if you want to remember the own value on postback then probably the
> following helps you too:
>
> <input type="text" name="firstname" value="<%= str(page.RF("firstname"))
> %>">
>

Michal Gabrukiewicz

unread,
Jun 25, 2009, 11:56:04 AM6/25/09
to asp-ajaxed
see answer below

On Thu, Jun 25, 2009 at 9:36 PM, SteveMets <Steve....@sparkhound.com> wrote:

Hi,

I am using the code below:

Contact=Trim(str(RS.Fields("SchoolContact")))

I tried the full str.HTMLEncode()  method before I posted the
question, and the results seem to be the same- I am still getting the
same result, in that the text trailing after  '  (apostrophe) are
truncated.

could you show the actual HTML where you use the value...
 



--
michal

SteveMets

unread,
Jun 25, 2009, 11:57:09 AM6/25/09
to asp-ajaxed
Michal,

Please ignore the part about validations and postback. I am using
literal variables as the value for the text boxes, and that value is
still available, so I am able to re-populate.

I am however getting a false postive on this:

if str.isValidEmail(txtEmail) = false then
v.add "EmailInvalid","Please enter a valid Contact E-mail- " &
txtEmail
end if
If the value is "BobJ...@microsoft.com" it still throws an invalid
message. I also tried these with same result:

if Not str.isValidEmail(txtEmail) then
and

if str.isValidEmail(txtEmail) then


On Jun 24, 9:19 pm, Michal Gabrukiewicz <mga...@gmail.com> wrote:
> yes there is..
> every output you display to the user should go through the str.HTMLEncode()
> method ... there is a short form which allows you to do it just with
> str("bob's value")
>
> in an input field like that then
>
> <input type="text" value="<%= str("bob's value") %>">
>
> if you want to remember the own value on postback then probably the
> following helps you too:
>
> <input type="text" name="firstname" value="<%= str(page.RF("firstname"))
> %>">
>

Michal Gabrukiewicz

unread,
Jun 25, 2009, 12:08:31 PM6/25/09
to asp-ajaxed
okay skipped it already :)

the issue is easy .. it's not an ajax issue it's a HTML markup issue you are having ..
change
value=' <%= Contact %>'
to
value=" <%= Contact %>"

its important you ALWAYS use proper apostrophes to avoid "painful" problems....

On Thu, Jun 25, 2009 at 11:05 PM, Steve Dooley <Steve....@sparkhound.com> wrote:

Hi Michal,

 

Just make sure you don’t waste your time on the validation and postback part of the post, I solved that (another post explains).

 

Contact=Trim(str(RS.Fields("SchoolContact"))) is used to retrieve the data from the DB, and store in var;

 

The HTML shows how this is used.  For whatever reason, the apostrophe breaks off the text that follows it, so it is never stored in the variable, and the Input Text Box just displays what’s there.  I’m not sure if other special characters pose a problem- but this one is quite common

<input name="Name2" type="text" id="Name2" value=' <%= Contact %>'  tabindex="8" size="50" maxlength="100">




--
michal

mga...@gmail.com

unread,
Jun 25, 2009, 10:48:18 PM6/25/09
to asp-ajaxed
see comments below

On Jun 26, 2009 1:31am, Steve Dooley <Steve....@sparkhound.com> wrote:
>
>
> Contact
> =(Replace(Contact,"'","’"))
>
>
> Used WITHOUT str.HTMLEncode seems to work fine, and it posts
> properly as well.  Used with, it will display as text    ’

it might work but it's not proper html ... you should definitely use htmlencode and double apostrohpes. you code is now vulnerable for XSS, etc.

>
>
> Still don’t know why IsvalidEmail is failing to recognize a
> valid e-mail.  Thanks
>  

just debug it .. str.isvalidemail is a small function

>
>
>
> From:
> asp-a...@googlegroups.com [mailto:asp-a...@googlegroups.com] On Behalf
> Of Michal Gabrukiewicz
>
> Sent: Thursday, June 25, 2009 11:09 AM

>
> To: asp-ajaxed
>
> Subject: Re: escape character on text from a recordset field
>
>
>
>
>
>  
>
> okay skipped it already :)
>
>
>
> the issue is easy .. it's not an ajax issue it's a HTML markup issue you are
> having ..
>
> change
>
> value=' '
>
> to
>
> value=" "

>
>
>
> its important you ALWAYS use proper apostrophes to avoid "painful"
> problems....
>
>
>
>
> On Thu, Jun 25, 2009 at 11:05 PM, Steve Dooley Steve....@sparkhound.com>
> wrote:
>
>
>
>
>
>
> Hi Michal,
>
>
>  
>
>
> Just make sure you don’t waste
> your time on the validation and postback part of the post, I solved that
> (another post explains).
>
>
>  
>
>
> Contact=Trim(str(RS.Fields("SchoolContact"))) is used to retrieve
> the data from the DB, and store in var;
>
>
>  
>
> The HTML shows how this is used.  For
> whatever reason, the apostrophe breaks off the text that follows it, so it is
> never stored in the variable, and the Input Text Box just displays what’s
> there.  I’m not sure if other special characters pose a problem- but this
> one is quite common
>
>
> name="Name2" type="text" id="Name2" value='
>  str.write(v.getErrorSummary("",
> "", "", ""))

>
>                end if
>
> else
>
> ... this is the original page render code before postback      
> .
>
>
>
> I've reviewed the validator API, but it's presented as a fragment- any
>
> suggestions of where and how to place code that will
>
> keep the values, or prevent them from being cleared.  One of the major
>
> issues I have with ASP is that you can not set the value of an element
>
> such as an input text box, so even if I stored the values in session
>
> or other means, I can't use them.  Thanks for your advice walking me
>
> through this.  I have been able to make almost all of it work due to
>
> your help.
>
>
>
>
>
>
>
>
> On Jun 24, 9:19 pm, Michal Gabrukiewicz mga...@gmail.com> wrote:
>
> > yes there is..
>
> > every output you display to the user should go through the str.HTMLEncode()
>
> > method ... there is a short form which allows you to do it just with
>
> > str("bob's value")
>
> >
>
> > in an input field like that then
>
> >
>
> > value") %>">
>
> >
>
> > if you want to remember the own value on postback then probably the
>
> > following helps you too:
>
> >
>
> > value="
Reply all
Reply to author
Forward
0 new messages