users using &, ", ', and other chars in input fields

Discussion in 'Javascript' started by Michael Hill, Jan 29, 2004.

  1. Michael Hill

    Michael Hill Guest

    I have a general question about how people generally tend to deal with
    users data that they enter.

    As an example users enter double quotes in a text field surrounding a
    specific piece of text they want to hi-lite and then it barfs during
    the oracle insert step because the string is not properly delimited.

    Another example is where the ampersand causes trouble when used on an
    xml page so provisions are made to insert it into the table
    using the ascii equavalent & . But the field is only 25 characters
    so when a string with 25 characters that has an ampersand is being
    input and we change the ampersand to the ascii equavalent we now have
    more then 25 characters and update fails beacuse we have
    too many characters. We could truncate them before the insert, or we
    could write some code to deal with them onthe client.

    Others copy and paste from word documents into a text field and in it
    there are hidden formatting fields like bullets.

    The users barf and complain about the application, but what we have here
    is bad data.

    How do most handle these?

    Michael Hill, Jan 29, 2004
    1. Advertisements

  2. Michael Hill

    McKirahan Guest

    I use something like the following; watch for word-wrap.

    function validate() {
    var form = document.forms[0];
    var regs = "'\n\nInvalid characters: \" & '";
    var regx = /\"|\&|\'/
    for (var i=0; i<form.elements.length; i++) {
    if (regx.test(form.elements.value)) {
    alert("Invalid character(s) in '" + +
    return false;
    return true;
    McKirahan, Jan 30, 2004
    1. Advertisements

  3. Your Oracle problems come from fiddling with sql text and text literals. Use
    prepared statements and statement parameters to prevent such problems. That
    means do not use

    "insert into tab(col) values ('" + colVal + "')"

    but use

    "insert into tab(col) values (?)" (JDBC syntax) or something similar for

    When generating HTML pages/forms containing data from the database you
    should always be aware of invalid characters in the data. Use a proper
    escaping function to handle that. I would advise escaping to ASCII only
    instead of UTF-8 but that is a matter of taste.


    Silvio Bierman
    Silvio Bierman, Jan 30, 2004
  4. Michael Hill

    McKirahan Guest

    Would you rather have your application "cry, bitch, moan, and do other baby
    like stuff?"

    You could always substitute restricted characters before using (e.g.
    storing) them...
    McKirahan, Jan 30, 2004
  5. Ofcourse not, it should handle all possible inputs gracefully.
    Especially sine client-side validation will not always be able to
    filter out problematic inputs.
    That would be the prettier choice.

    Your application has problems with certain characters. You should solve
    that instead of passing the problem on to the unsuspecting user. It's
    not their fault, and they really don't need to know.

    Lasse Reichstein Nielsen, Jan 30, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.