help me with " sign in display of data in asp form

Discussion in 'ASP General' started by cooldv, Jan 18, 2004.

  1. cooldv

    cooldv Guest

    i know how to replace the sign " when SUBMITTING a form in asp by this
    code:
    message = Replace(usermessage, "'", "''").

    My problem is DISPLAYING data in an asp FORM, from an an access
    database, when the data already contains a " sign

    problem is like this:
    access database .... to update on the internet .... a *dataupdate.asp*
    page ..... On this page, the data gets displayed in a form where i
    make corrections and then i update it ..... working perfectly; the
    data gets displayed in the form perfectly well and gets updated also
    >>> BUT >>>
    >>> PROBLEM >>>

    If there is a " sign in the data, then all the text beyond the " sign
    is not displayed inside the text box of the form and is obviously lost
    if the form is submitted to update the database.

    Also, if data is like this:
    text1 " text2 > text3 text4

    then,
    text1 is displayed inside the text box of the form
    text2 is not displayed anywhere as it is after the sign "
    the data beyond the > sign gets displayed, but
    text3 text4 get displayed OUTSIDE the text box of the form as html
    output


    Here is the code:

    <%
    Actionvar=Request.QueryString("actionvar")

    Set conn = server.createobject("adodb.connection")
    DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
    DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
    conn.Open DSNtemp

    IF Actionvar="update" THEN
    IF Len(TRIM(Request.Form("flag"))) = 0 THEN
    SQLstmt = "SELECT * FROM database WHERE dataID=" &
    Request.QueryString("Recid")

    Set rs = conn.Execute(SQLstmt)
    IF NOT RS.EOF THEN
    %>

    <table>
    <FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
    <INPUT TYPE="text" size="78" NAME="dataMessage"
    VALUE="<%=rs("Message")%>">

    <INPUT TYPE="hidden" NAME="flag" VALUE="2">
    <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
    <INPUT TYPE="submit" VALUE="Update">
    </form>
    </table>

    <%
    rs.MoveNext
    rs.Close
    END IF
    ELSEIF Request.Form("flag")="2" THEN
    comnt = request.form("dataMessage")
    kament = Replace(comnt, "'", "''")

    SQLstmt = "UPDATE database SET "
    SQLstmt = SQLstmt & "Message='" & kament & "' "

    any help please???

    i believe the problem is in how i am displaying data in this part of
    the code:
    <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
     
    cooldv, Jan 18, 2004
    #1
    1. Advertising

  2. cooldv

    Steven Burn Guest

    You'll need to replace the quotes before they reach the database, using
    something along the lines of;

    Saving data;

    yourdata = Request.Form("datamessage")
    '// Replace quotes with: --
    strData = Replace(yourdata, chr(34), "--")

    Getting data;
    '// replace -- with quotes
    strData = Replace(yourdata, "--", chr(34))

    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    Disclaimer:
    I know I'm probably wrong, I just like taking part ;o)


    cooldv <> wrote in message
    news:...
    > i know how to replace the sign " when SUBMITTING a form in asp by this
    > code:
    > message = Replace(usermessage, "'", "''").
    >
    > My problem is DISPLAYING data in an asp FORM, from an an access
    > database, when the data already contains a " sign
    >
    > problem is like this:
    > access database .... to update on the internet .... a *dataupdate.asp*
    > page ..... On this page, the data gets displayed in a form where i
    > make corrections and then i update it ..... working perfectly; the
    > data gets displayed in the form perfectly well and gets updated also
    > >>> BUT >>>
    > >>> PROBLEM >>>

    > If there is a " sign in the data, then all the text beyond the " sign
    > is not displayed inside the text box of the form and is obviously lost
    > if the form is submitted to update the database.
    >
    > Also, if data is like this:
    > text1 " text2 > text3 text4
    >
    > then,
    > text1 is displayed inside the text box of the form
    > text2 is not displayed anywhere as it is after the sign "
    > the data beyond the > sign gets displayed, but
    > text3 text4 get displayed OUTSIDE the text box of the form as html
    > output
    >
    >
    > Here is the code:
    >
    > <%
    > Actionvar=Request.QueryString("actionvar")
    >
    > Set conn = server.createobject("adodb.connection")
    > DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
    > DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
    > conn.Open DSNtemp
    >
    > IF Actionvar="update" THEN
    > IF Len(TRIM(Request.Form("flag"))) = 0 THEN
    > SQLstmt = "SELECT * FROM database WHERE dataID=" &
    > Request.QueryString("Recid")
    >
    > Set rs = conn.Execute(SQLstmt)
    > IF NOT RS.EOF THEN
    > %>
    >
    > <table>
    > <FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
    > <INPUT TYPE="text" size="78" NAME="dataMessage"
    > VALUE="<%=rs("Message")%>">
    >
    > <INPUT TYPE="hidden" NAME="flag" VALUE="2">
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
    > <INPUT TYPE="submit" VALUE="Update">
    > </form>
    > </table>
    >
    > <%
    > rs.MoveNext
    > rs.Close
    > END IF
    > ELSEIF Request.Form("flag")="2" THEN
    > comnt = request.form("dataMessage")
    > kament = Replace(comnt, "'", "''")
    >
    > SQLstmt = "UPDATE database SET "
    > SQLstmt = SQLstmt & "Message='" & kament & "' "
    >
    > any help please???
    >
    > i believe the problem is in how i am displaying data in this part of
    > the code:
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
     
    Steven Burn, Jan 18, 2004
    #2
    1. Advertising

  3. cooldv

    Bob Barrows Guest

    cooldv wrote:
    <snip>
    This

    > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">


    should be either this:

    <INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>

    or this:

    <INPUT TYPE="hidden" NAME="Recordid" VALUE=
    "<%=HTMLEncode(rs("dataID"))%>">

    Check out this short example to see the difference:

    <%
    sText="text containing "" character"
    Response.Write stext & "<BR>"
    %>
    <HTML>
    <BODY>
    <INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
    </BODY>
    </HTML>

    HTH,
    Bob Barrows

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Jan 18, 2004
    #3
  4. > You'll need to replace the quotes before they reach the database, using
    > something along the lines of;
    >
    > Saving data;
    >
    > yourdata = Request.Form("datamessage")


    Too late at that point. The problem isn't putting the data into the
    database, it's that the data is truncated (by having value="foo"bar") before
    it even gets to the ASP form handler.

    > Getting data;
    > '// replace -- with quotes
    > strData = Replace(yourdata, "--", chr(34))


    Plus, I disagree with this method altogether. Why would you replace quotes
    with dashes? You're completely changing the meaning of the existing data,
    plus you'll turn *ALL* dashes into double quotes when retrieving.

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/
     
    Aaron Bertrand [MVP], Jan 18, 2004
    #4
  5. cooldv

    Steven Burn Guest

    Aaron Bertrand [MVP] <> wrote in message
    news:...
    > > You'll need to replace the quotes before they reach the database, using
    > > something along the lines of;
    > >
    > > Saving data;
    > >
    > > yourdata = Request.Form("datamessage")

    >
    > Too late at that point. The problem isn't putting the data into the
    > database, it's that the data is truncated (by having value="foo"bar")

    before
    > it even gets to the ASP form handler.

    </snip>

    In that case, couldn't you use some javascript code or something?

    <snip>
    > > Getting data;
    > > '// replace -- with quotes
    > > strData = Replace(yourdata, "--", chr(34))

    >
    > Plus, I disagree with this method altogether. Why would you replace

    quotes
    > with dashes? You're completely changing the meaning of the existing data,
    > plus you'll turn *ALL* dashes into double quotes when retrieving.

    </snip>

    I just figured you could replace the quotes with something thats not likely
    to be in there (doesn't have to be dashes obviously), so if you don't want
    to use dashes, you could replace it with &quote or something?

    --
    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    Disclaimer:
    I know I'm probably wrong, I just like taking part ;o)
     
    Steven Burn, Jan 18, 2004
    #5
  6. > I just figured you could replace the quotes with something thats not
    likely
    > to be in there (doesn't have to be dashes obviously), so if you don't want
    > to use dashes, you could replace it with &quote or something?


    Again, the problem isn't in STORING the data. So a solution that involves
    "encoding" the character to store in the database not only "vandalizes" the
    data (someone running a SELECT column FROM table might not be aware of this
    replace, and wonder why there's a dash or a tilde or some other character
    when there should be a quote), it doesn't solve the issue anyway.
     
    Aaron Bertrand [MVP], Jan 18, 2004
    #6
  7. "Bob Barrows" <> wrote in message
    news:...
    > cooldv wrote:
    > <snip>
    > This
    >
    > > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">

    >
    > should be either this:
    >
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>
    >
    > or this:
    >
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE=
    > "<%=HTMLEncode(rs("dataID"))%>">
    >
    > Check out this short example to see the difference:
    >
    > <%
    > sText="text containing "" character"
    > Response.Write stext & "<BR>"
    > %>
    > <HTML>
    > <BODY>
    > <INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
    > </BODY>
    > </HTML>


    I'd like to vote for option 2, since it is immune to both apostrophes
    ( ' ) and quotes ( " ), as well any other entity references that may
    exist in the data (less-than, greater-than, ampersand, etc...)
     
    Chris Hohmann, Jan 18, 2004
    #7
  8. cooldv

    cooldv Guest

    "Bob Barrows" <> wrote in message news:<>...
    > cooldv wrote:
    > <snip>
    > This
    >
    > > <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">

    >
    > should be either this:
    >
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE='<%=rs("dataID")%>'>



    -------- No!!!! with this change, any text beyond an apostrophe '
    sign in the data disappears


    > or this:
    >
    > <INPUT TYPE="hidden" NAME="Recordid" VALUE=
    > "<%=HTMLEncode(rs("dataID"))%>">
    >
    > Check out this short example to see the difference:
    >
    > <%
    > sText="text containing "" character"
    > Response.Write stext & "<BR>"
    > %>
    > <HTML>
    > <BODY>
    > <INPUT VALUE=" <%=server.HTMLEncode(sText)%>" style="WIDTH:345px">
    > </BODY>
    > </HTML>
    >
    > HTH,
    > Bob Barrows


    i could not understand what you meant by this. could you please be
    more specific, how do i do that?
    dataID or RecID is a numeric value and i have no trouble with the ID.
    It is the TEXT with a double quote that is giving me hard time.

    i put a demo of the problem here:
    http://www.dv.pgims.org/datadisplay.asp

    here is my code again:

    <%
    Actionvar=Request.QueryString("actionvar")

    Set conn = server.createobject("adodb.connection")
    DSNtemp="DRIVER={Microsoft Access Driver (*.mdb)}; "
    DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
    conn.Open DSNtemp

    IF Actionvar="update" THEN
    IF Len(TRIM(Request.Form("flag"))) = 0 THEN
    SQLstmt = "SELECT * FROM database WHERE dataID=" &
    Request.QueryString("Recid")

    Set rs = conn.Execute(SQLstmt)
    IF NOT RS.EOF THEN
    %>

    <table>
    <FORM METHOD="post" ACTION="dataupdate.asp?Actionvar=update">
    <INPUT TYPE="text" size="78" NAME="dataMessage"
    VALUE="<%=rs("Message")%>">

    <INPUT TYPE="hidden" NAME="flag" VALUE="2">
    <INPUT TYPE="hidden" NAME="Recordid" VALUE="<%=rs("dataID")%>">
    <INPUT TYPE="submit" VALUE="Update">
    </form>
    </table>

    <%
    rs.MoveNext
    rs.Close
    END IF
    ELSEIF Request.Form("flag")="2" THEN
    comnt = request.form("dataMessage")
    kament = Replace(comnt, "'", "''")

    SQLstmt = "UPDATE database SET "
    SQLstmt = SQLstmt & "Message='" & kament & "' "
     
    cooldv, Jan 19, 2004
    #8
  9. What he's suggesting is pretty simple. Change this:

    <INPUT TYPE="text" size="78" NAME="dataMessage" VALUE="<%=rs("Message")%>">

    To this:

    <INPUT TYPE="text" size="78" NAME="dataMessage"
    VALUE="<%=Server.HTMLEncode(rs("Message"))%>">

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/
     
    Aaron Bertrand [MVP], Jan 19, 2004
    #9
  10. cooldv

    cooldv Guest

    "Aaron Bertrand [MVP]" <> wrote in message news:<#>...
    > What he's suggesting is pretty simple. Change this:
    >
    > <INPUT TYPE="text" size="78" NAME="dataMessage" VALUE="<%=rs("Message")%>">
    >
    > To this:
    >
    > <INPUT TYPE="text" size="78" NAME="dataMessage"
    > VALUE="<%=Server.HTMLEncode(rs("Message"))%>">



    Thank you, Bob Barrows for your solution and Aaron Bertrand for your clarification.

    The above solution is working like a charm. Thanks again.
     
    cooldv, Jan 20, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Norman Yuan
    Replies:
    0
    Views:
    4,818
    Norman Yuan
    Jan 26, 2006
  2. Yohan N. Leder
    Replies:
    11
    Views:
    1,020
    Jukka K. Korpela
    May 20, 2006
  3. Jimmy
    Replies:
    1
    Views:
    947
    Cowboy \(Gregory A. Beamer\)
    Nov 21, 2006
  4. Yohan N. Leder
    Replies:
    17
    Views:
    293
    Dr.Ruud
    May 23, 2006
  5. Jimmy
    Replies:
    3
    Views:
    2,412
    shimmyshack
    Nov 20, 2006
Loading...

Share This Page