p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

proasp_howto thread: Retrieve / Store HTML code in database


Message #1 by "Peter Foti (PeterF)" <PeterF@S...> on Tue, 20 Mar 2001 15:56:03 -0500
> Try replacing " with ""
> 
> <input type="text" name="COMPANYNAME"
> value="<%=replace(Session("COMPANYNAME"), chr(34), chr(34)&chr(34))%>"
> size="34" maxlength="50" />

This approach is fine for generating SQL strings.  But it would not work 
for HTML code.  For example, if I had a string like this:
My"String
then using the method above, the HTML code would be generated like this:
<input type="text" name="COMPANYNAME" value="My""String" size="34" 
maxlength="50" />

I could be wrong, but I think that is still invalid and will not display 
properly.  If you had replaced the quotes with the string " then it 
would have worked.  Also, when generating HTML code there are more things 
to worry about than just the double quote.  For example, the ampersand 
must be encoded as & to be valid html.  Therefore, the proper way to 
do this is to make use of the Server.HTMLEncode() method.  Now it's just a 
matter of determining what the side affects are.  :)


 
> -----Original Message-----
> From: Peter Foti (PeterF) [mailto:PeterF@S...]
> Sent: Tuesday, March 20, 2001 8:56 PM
> To: How To
> Subject: Retrieve / Store HTML code in database
> 
> 
> This subject does not really properly explain what I want to do.  Here
> is what I'm doing.
> 
> I have a form which will display what a user previously entered using a
> session variable.  I found that if the user entered something with
> quotes, that my code became invalid and the page might not be displayed
> properly.  Here's an example of what a text input box might look like:
> 
> <input type="text" name="COMPANYNAME"
> value="<%=Session("COMPANYNAME")%>" size="34" maxlength="50" />
> 
> If nothing has been entered into Session("COMPANYNAME") then this will
> just have value="" and there is no problem.  Suppose the person entered
> this as the company name:
> Joe "The Man" Schmoe
> 
> Now the generated HTML code will look like this:
> <input type="text" name="COMPANYNAME" value="Joe "The Man" Schmoe"
> size="34" maxlength="50" />
> 
> In this case, the form will display the "Joe " portion in the input box.
> 
> So I did some digging and found the Server.HTMLEncode method.  This will
> change all code to be properly escaped, including quotes and ampersands.
> 
> 
> Here's my question.  It seems like almost anyone who uses forms and
> fills in values with previously entered info would run into this
> problem.  I think the solution is as follows (but I'm not sure, so I'm
> asking):
> When the user enters the info, it is passed on to another ASP page which
> stores the info in session variables.  Before the info is stored, it
> should be encoded.  Like so:
> Session("COMPANYNAME") = Server.HTMLEncode(Request("COMPANYNAME"))
> 
> So instead of storing:
> Joe "The Man" Schmoe
> 
> the session variable would store:
> Joe "The Man" Schmoe
> 
> and when I update my database, I would assume that this is how the info
> will get put into the database.  How will that affect searches?  I would
> assume that I will need to HTMLEncode search strings before comparing
> them.  
> 
> Does this look like the right thing to do?  Are there any other side
> affects that I don't see?
> Thanks for any info.
> 
> Peter Foti
> Systolic Networks
> Phone:  (xxx) xxx-xxxx
> Fax:  (xxx) xxx-xxxx
> 

  Return to Index