SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to decline a quotation mark in asp?

    i wondered how can i decline a ' character in asp?

    ps: i'm newbie with asp.
    plz help

  2. #2
    Afrika
    Join Date
    Jul 2004
    Location
    Nigeria
    Posts
    1,737
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Really dont understand what you are trying to say.
    Please expansiate on this "decline a quotation mark"
    Afrika

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    uh`m.
    in my url... same be: http://localhost/product.asp?id=1
    and, if i fix it to be http://localhost/product.asp?id='
    ~> will be error ??!
    so, how can i filter the ' character from url string?

  4. #4
    Afrika
    Join Date
    Jul 2004
    Location
    Nigeria
    Posts
    1,737
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Am sorry but i dont really understand your requirements.

    Why would you want to fix it to be ' If i am getting you right. query strings have some html encoding, which translates different characters in a query string. Probably thats why you are getting an error

  5. #5
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hix, i want to filter this string
    var id;
    id = Request.QueryString("id");

    ~> and how can i decline a ' character

    ps: same addslashes function in PHP

  6. #6
    Original Gangster silver trophy Thing's Avatar
    Join Date
    Oct 2000
    Location
    Philadelphia, PA
    Posts
    4,708
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Use InStr. This will give you the location in the string of the character you are looking for. If it doesn't exist it will return a 0:

    Code:
    If InStr(request.querystring("ID"), "'") > 0 then
      'the character exists so decline it
    Else
      'it doesn't
    End if

  7. #7
    SitePoint Member Enknot's Avatar
    Join Date
    Sep 2004
    Location
    Buffalo, New York
    Posts
    22
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you're using the function wrong. Check this out.

    http://www.w3schools.com/vbscript/func_instr.asp

  8. #8
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why are you using quotations anyways? When calling an querystring, or providing a value for querystrings you only need to give the value ie

    <form action="action.asp?handler=value"> not <form action="action.asp?handler='value'">

    Can you please reply with the script that is providing the querystring handler and value, so we can see why quotation marks are appearing?

    Kind regards

    Gavin

  9. #9
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The Thing's script is error...
    I want if
    id value = ' .... This value will be invalid....
    So , who can show me a str_replace func in ASP ?
    i can use replace function to replace ' character to N/A.

    My professional explained for me about this way:

    rsUser.Source += " FROM Admin WHERE username='" + vUsername.replace(/'/g, "''") + "' AND password='" + String(Request.Form("assword")).replace(/'/g, "''") + "'";

    However, when i set:
    var i = Request.QueryString("id");
    i = i.replace(/'/g, "''");
    i reviced: no method replace in asp ???!

  10. #10
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm still confused, why don't you use <input type="text" id="test" value="test"> asp should never insert a ' unless your manually putting it in there.

    I take it your trying to validate a username and password in sql/odbc.

    which you can do

    <%
    dim connection
    set connection = server.createobject("ADODB.Connection")
    connection.open "datastring"

    dim login
    set login = server.createobject("ADODB.Recordset")
    login.open "SELECT * FROM Admin WHERE username = '" & request.form("username") & "' AND password = '" & request.form("password") & "'", connection, 2, 2

    That will try and match the username and password.

    vUsername.replace.... ? That looks more like C+ or some other language, if you have defined vUsername = request.form("username") then it would be replace(vUsername,"'","")

    Send me your login file, and login script. I'll look at it.

    Gav


  11. #11
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm still confused, why don't you use <input type="text" id="test" value="test"> asp should never insert a ' unless your manually putting it in there.
    No , i'm not get id value FROM submit FORM allow POST method...
    I get it from url string

    http://domain.com/web/product.asp?id='
    and my script using javascript, not vbscript
    if my url string is http://domain.com/web/product.asp?id='
    my query will be:

    var sql;
    var p_id= Request.QueryString("id");
    sql = con.Execute("SELECT * FROM products WHERE id='pid'");

    ~> this query will be: sql = con.Execute("SELECT * FROM products WHERE id='''");

  12. #12
    doing my best to help c2uk's Avatar
    Join Date
    May 2005
    Location
    Cardiff
    Posts
    1,832
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rassenvn
    if my url string is http://domain.com/web/product.asp?id='
    You're URL string shouldn't look like anything like that, at least from what I know about asp, a ' isn't needed there, just do it like this:

    Code:
    http://domain.com/web/product.asp?id=10540
    I'm not using JScript myself, so I can't help you with the other stuff, but at least this line looks okay to me:
    Code:
    var sql;
    var p_id= Request.QueryString("id");
    The others look kind of strange to me, but as I said, I'm not using JScript but VB Script, so I don't know about them.

    And yes, it's really difficult for me (non native English) to understand what you really want, so might have completely misunderstood, if that's the case, I'm sorry.

  13. #13
    What a twist! Kings's Avatar
    Join Date
    Jul 2002
    Location
    The Netherlands
    Posts
    954
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think he's just trying to prevent SQL injection.

    rassenvn; you're probably looking for something like this:
    Code:
    i = Request.QueryString("id");
    i = replace(i, "'", "''");
    That will replace the ' in the variable.
    Dennis Pallett - NoCertainty - My Personal Weblog
    The Web Network: ASPit | PHPit | WebDev-Articles
    Blogs: TalkFones | Holidayzer | PHPit Blog

  14. #14
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you see this is what I mean tho. Why prevent SQL injection unless he is forcing the script to inject. If he is using javascript to redirect a page with a querystring id. then why is there a quotation mark there in the first place. Why bother creating a script to remove it, when you can just remove it from the source?

    Gav


  15. #15
    SitePoint Enthusiast
    Join Date
    Jan 2005
    Location
    US
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i = Request.QueryString("id");
    i = replace(i, "'", "''");
    a replace() func is same be not effected...
    it's error


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •