Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > help me with " sign in display of data in asp form

Reply
Thread Tools

help me with " sign in display of data in asp form

 
 
cooldv
Guest
Posts: n/a
 
      01-18-2004
i know how to replace the sign " when SUBMITTING a form in asp by this
code:
message = Replace(usermessage, "'", "''").

My problem is DISPLAYING data in an asp FORM, from an an access
database, when the data already contains a " sign

problem is like this:
access database .... to update on the internet .... a *dataupdate.asp*
page ..... On this page, the data gets displayed in a form where i
make corrections and then i update it ..... working perfectly; the
data gets displayed in the form perfectly well and gets updated also
>>> BUT >>>
>>> PROBLEM >>>

If there is a " sign in the data, then all the text beyond the " sign
is not displayed inside the text box of the form and is obviously lost
if the form is submitted to update the database.

Also, if data is like this:
text1 " text2 > text3 text4

then,
text1 is displayed inside the text box of the form
text2 is not displayed anywhere as it is after the sign "
the data beyond the > sign gets displayed, but
text3 text4 get displayed OUTSIDE the text box of the form as html
output


Here is the code:

<%
Actionvar=Request.QueryString("actionvar")

Set conn = server.createobject("adodb.connection")
DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
conn.Open DSNtemp

IF Actionvar="update" THEN
IF Len(TRIM(Request.Form("flag"))) = 0 THEN
SQLstmt = "SELECT * FROM database WHERE dataID=" &
Request.QueryString("Recid")

Set rs = conn.Execute(SQLstmt)
IF NOT RS.EOF THEN
%>

<table>
<FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
<INPUT TYPE="text" size="78" NAME="dataMessage"
VALUE="<%=rs("Message")%>">

<INPUT TYPE="hidden" NAME="flag" VALUE="2">
<INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
<INPUT TYPE="submit" VALUE="Update">
</form>
</table>

<%
rs.MoveNext
rs.Close
END IF
ELSEIF Request.Form("flag")="2" THEN
comnt = request.form("dataMessage")
kament = Replace(comnt, "'", "''")

SQLstmt = "UPDATE database SET "
SQLstmt = SQLstmt & "Message='" & kament & "' "

any help please???

i believe the problem is in how i am displaying data in this part of
the code:
<INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
 
Reply With Quote
 
 
 
 
Steven Burn
Guest
Posts: n/a
 
      01-18-2004
You'll need to replace the quotes before they reach the database, using
something along the lines of;

Saving data;

yourdata = Request.Form("datamessage")
'// Replace quotes with: --
strData = Replace(yourdata, chr(34), "--")

Getting data;
'// replace -- with quotes
strData = Replace(yourdata, "--", chr(34))

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


cooldv <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> i know how to replace the sign " when SUBMITTING a form in asp by this
> code:
> message = Replace(usermessage, "'", "''").
>
> My problem is DISPLAYING data in an asp FORM, from an an access
> database, when the data already contains a " sign
>
> problem is like this:
> access database .... to update on the internet .... a *dataupdate.asp*
> page ..... On this page, the data gets displayed in a form where i
> make corrections and then i update it ..... working perfectly; the
> data gets displayed in the form perfectly well and gets updated also
> >>> BUT >>>
> >>> PROBLEM >>>

> If there is a " sign in the data, then all the text beyond the " sign
> is not displayed inside the text box of the form and is obviously lost
> if the form is submitted to update the database.
>
> Also, if data is like this:
> text1 " text2 > text3 text4
>
> then,
> text1 is displayed inside the text box of the form
> text2 is not displayed anywhere as it is after the sign "
> the data beyond the > sign gets displayed, but
> text3 text4 get displayed OUTSIDE the text box of the form as html
> output
>
>
> Here is the code:
>
> <%
> Actionvar=Request.QueryString("actionvar")
>
> Set conn = server.createobject("adodb.connection")
> DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
> DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
> conn.Open DSNtemp
>
> IF Actionvar="update" THEN
> IF Len(TRIM(Request.Form("flag"))) = 0 THEN
> SQLstmt = "SELECT * FROM database WHERE dataID=" &
> Request.QueryString("Recid")
>
> Set rs = conn.Execute(SQLstmt)
> IF NOT RS.EOF THEN
> %>
>
> <table>
> <FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
> <INPUT TYPE="text" size="78" NAME="dataMessage"
> VALUE="<%=rs("Message")%>">
>
> <INPUT TYPE="hidden" NAME="flag" VALUE="2">
> <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
> <INPUT TYPE="submit" VALUE="Update">
> </form>
> </table>
>
> <%
> rs.MoveNext
> rs.Close
> END IF
> ELSEIF Request.Form("flag")="2" THEN
> comnt = request.form("dataMessage")
> kament = Replace(comnt, "'", "''")
>
> SQLstmt = "UPDATE database SET "
> SQLstmt = SQLstmt & "Message='" & kament & "' "
>
> any help please???
>
> i believe the problem is in how i am displaying data in this part of
> the code:
> <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">



 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      01-18-2004
cooldv wrote:
<snip>
This

> <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">


should be either this:

<INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>

or this:

<INPUT TYPE="hidden" NAME="Recordid" VALUE=
"<%=HTMLEncode(rs("dataID"))%>">

Check out this short example to see the difference:

<%
sText="text containing "" character"
Response.Write stext & "<BR>"
%>
<HTML>
<BODY>
<INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
</BODY>
</HTML>

HTH,
Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
Aaron Bertrand [MVP]
Guest
Posts: n/a
 
      01-18-2004
> You'll need to replace the quotes before they reach the database, using
> something along the lines of;
>
> Saving data;
>
> yourdata = Request.Form("datamessage")


Too late at that point. The problem isn't putting the data into the
database, it's that the data is truncated (by having value="foo"bar") before
it even gets to the ASP form handler.

> Getting data;
> '// replace -- with quotes
> strData = Replace(yourdata, "--", chr(34))


Plus, I disagree with this method altogether. Why would you replace quotes
with dashes? You're completely changing the meaning of the existing data,
plus you'll turn *ALL* dashes into double quotes when retrieving.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


 
Reply With Quote
 
Steven Burn
Guest
Posts: n/a
 
      01-18-2004
Aaron Bertrand [MVP] <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> > You'll need to replace the quotes before they reach the database, using
> > something along the lines of;
> >
> > Saving data;
> >
> > yourdata = Request.Form("datamessage")

>
> Too late at that point. The problem isn't putting the data into the
> database, it's that the data is truncated (by having value="foo"bar")

before
> it even gets to the ASP form handler.

</snip>

In that case, couldn't you use some javascript code or something?

<snip>
> > Getting data;
> > '// replace -- with quotes
> > strData = Replace(yourdata, "--", chr(34))

>
> Plus, I disagree with this method altogether. Why would you replace

quotes
> with dashes? You're completely changing the meaning of the existing data,
> plus you'll turn *ALL* dashes into double quotes when retrieving.

</snip>

I just figured you could replace the quotes with something thats not likely
to be in there (doesn't have to be dashes obviously), so if you don't want
to use dashes, you could replace it with &quote or something?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)


 
Reply With Quote
 
Aaron Bertrand [MVP]
Guest
Posts: n/a
 
      01-18-2004
> I just figured you could replace the quotes with something thats not
likely
> to be in there (doesn't have to be dashes obviously), so if you don't want
> to use dashes, you could replace it with &quote or something?


Again, the problem isn't in STORING the data. So a solution that involves
"encoding" the character to store in the database not only "vandalizes" the
data (someone running a SELECT column FROM table might not be aware of this
replace, and wonder why there's a dash or a tilde or some other character
when there should be a quote), it doesn't solve the issue anyway.


 
Reply With Quote
 
Chris Hohmann
Guest
Posts: n/a
 
      01-18-2004
"Bob Barrows" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> cooldv wrote:
> <snip>
> This
>
> > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">

>
> should be either this:
>
> <INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>
>
> or this:
>
> <INPUT TYPE="hidden" NAME="Recordid" VALUE=
> "<%=HTMLEncode(rs("dataID"))%>">
>
> Check out this short example to see the difference:
>
> <%
> sText="text containing "" character"
> Response.Write stext & "<BR>"
> %>
> <HTML>
> <BODY>
> <INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
> </BODY>
> </HTML>


I'd like to vote for option 2, since it is immune to both apostrophes
( ' ) and quotes ( " ), as well any other entity references that may
exist in the data (less-than, greater-than, ampersand, etc...)


 
Reply With Quote
 
cooldv
Guest
Posts: n/a
 
      01-19-2004
"Bob Barrows" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> cooldv wrote:
> <snip>
> This
>
> > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">

>
> should be either this:
>
> <INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>



-------- No!!!! with this change, any text beyond an apostrophe '
sign in the data disappears


> or this:
>
> <INPUT TYPE="hidden" NAME="Recordid" VALUE=
> "<%=HTMLEncode(rs("dataID"))%>">
>
> Check out this short example to see the difference:
>
> <%
> sText="text containing "" character"
> Response.Write stext & "<BR>"
> %>
> <HTML>
> <BODY>
> <INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
> </BODY>
> </HTML>
>
> HTH,
> Bob Barrows


i could not understand what you meant by this. could you please be
more specific, how do i do that?
dataID or RecID is a numeric value and i have no trouble with the ID.
It is the TEXT with a double quote that is giving me hard time.

i put a demo of the problem here:
http://www.dv.pgims.org/datadisplay.asp

here is my code again:

<%
Actionvar=Request.QueryString("actionvar")

Set conn = server.createobject("adodb.connection")
DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
conn.Open DSNtemp

IF Actionvar="update" THEN
IF Len(TRIM(Request.Form("flag"))) = 0 THEN
SQLstmt = "SELECT * FROM database WHERE dataID=" &
Request.QueryString("Recid")

Set rs = conn.Execute(SQLstmt)
IF NOT RS.EOF THEN
%>

<table>
<FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
<INPUT TYPE="text" size="78" NAME="dataMessage"
VALUE="<%=rs("Message")%>">

<INPUT TYPE="hidden" NAME="flag" VALUE="2">
<INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
<INPUT TYPE="submit" VALUE="Update">
</form>
</table>

<%
rs.MoveNext
rs.Close
END IF
ELSEIF Request.Form("flag")="2" THEN
comnt = request.form("dataMessage")
kament = Replace(comnt, "'", "''")

SQLstmt = "UPDATE database SET "
SQLstmt = SQLstmt & "Message='" & kament & "' "
 
Reply With Quote
 
Aaron Bertrand [MVP]
Guest
Posts: n/a
 
      01-19-2004
What he's suggesting is pretty simple. Change this:

<INPUT TYPE="text" size="78" NAME="dataMessage" VALUE="<%=rs("Message")%>">

To this:

<INPUT TYPE="text" size="78" NAME="dataMessage"
VALUE="<%=Server.HTMLEncode(rs("Message"))%>">

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


 
Reply With Quote
 
cooldv
Guest
Posts: n/a
 
      01-20-2004
"Aaron Bertrand [MVP]" <(E-Mail Removed)> wrote in message news:<#(E-Mail Removed)>...
> What he's suggesting is pretty simple. Change this:
>
> <INPUT TYPE="text" size="78" NAME="dataMessage" VALUE="<%=rs("Message")%>">
>
> To this:
>
> <INPUT TYPE="text" size="78" NAME="dataMessage"
> VALUE="<%=Server.HTMLEncode(rs("Message"))%>">



Thank you, Bob Barrows for your solution and Aaron Bertrand for your clarification.

The above solution is working like a charm. Thanks again.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
$ sign to gb pound sign PWB Computer Support 6 02-19-2007 03:06 AM
Automatic sign-up and sign-in across different domains without cookies? Jimmy ASP .Net 1 11-21-2006 04:41 PM
Automatic sign-up and sign-in between different domains without cookies? Jimmy Javascript 3 11-20-2006 01:28 PM
PB with euro sign and checkbox in multipart/form-data Yohan N. Leder HTML 11 05-20-2006 07:41 PM
J sign instead of ? sign Harold Potter esq. Computer Support 5 04-16-2005 02:19 PM



Advertisments