i wondered how can i decline a ' character in asp?
ps: i'm newbie with asp.
plz help
| SitePoint Sponsor |
i wondered how can i decline a ' character in asp?
ps: i'm newbie with asp.
plz help
Really dont understand what you are trying to say.
Please expansiate on this "decline a quotation mark"
Afrika
uh`m.
in my url... same be: http://localhost/product.asp?id=1
and, if i fix it to be http://localhost/product.asp?id='
~> will be error ??!
so, how can i filter the ' character from url string?
Am sorry but i dont really understand your requirements.
Why would you want to fix it to be ' If i am getting you right. query strings have some html encoding, which translates different characters in a query string. Probably thats why you are getting an error
hix, i want to filter this string
var id;
id = Request.QueryString("id");
~> and how can i decline a ' character
ps: same addslashes function in PHP
Use InStr. This will give you the location in the string of the character you are looking for. If it doesn't exist it will return a 0:
Code:If InStr(request.querystring("ID"), "'") > 0 then 'the character exists so decline it Else 'it doesn't End if
"Does this napkin smell like chloroform?"
...now with SnapFoo!
My Blog | My Twitter | My Company | SitePoint Podcast
*** Matt Mullenweg on the SitePoint Podcast ***
I think you're using the function wrong. Check this out.
http://www.w3schools.com/vbscript/func_instr.asp
Why are you using quotations anyways? When calling an querystring, or providing a value for querystrings you only need to give the value ie
<form action="action.asp?handler=value"> not <form action="action.asp?handler='value'">
Can you please reply with the script that is providing the querystring handler and value, so we can see why quotation marks are appearing?
Kind regards
Gavin
The Thing's script is error...
I want if
id value = ' .... This value will be invalid....
So , who can show me a str_replace func in ASP ?
i can use replace function to replace ' character to N/A.
My professional explained for me about this way:
rsUser.Source += " FROM Admin WHERE username='" + vUsername.replace(/'/g, "''") + "' AND password='" + String(Request.Form("assword")).replace(/'/g, "''") + "'";
However, when i set:
var i = Request.QueryString("id");
i = i.replace(/'/g, "''");
i reviced: no method replace in asp ???!
I'm still confused, why don't you use <input type="text" id="test" value="test"> asp should never insert a ' unless your manually putting it in there.
I take it your trying to validate a username and password in sql/odbc.
which you can do
<%
dim connection
set connection = server.createobject("ADODB.Connection")
connection.open "datastring"
dim login
set login = server.createobject("ADODB.Recordset")
login.open "SELECT * FROM Admin WHERE username = '" & request.form("username") & "' AND password = '" & request.form("password") & "'", connection, 2, 2
That will try and match the username and password.
vUsername.replace.... ? That looks more like C+ or some other language, if you have defined vUsername = request.form("username") then it would be replace(vUsername,"'","")
Send me your login file, and login script. I'll look at it.
Gav
No , i'm not get id value FROM submit FORM allow POST method...I'm still confused, why don't you use <input type="text" id="test" value="test"> asp should never insert a ' unless your manually putting it in there.
I get it from url string
http://domain.com/web/product.asp?id='
and my script using javascript, not vbscript
if my url string is http://domain.com/web/product.asp?id='
my query will be:
var sql;
var p_id= Request.QueryString("id");
sql = con.Execute("SELECT * FROM products WHERE id='pid'");
~> this query will be: sql = con.Execute("SELECT * FROM products WHERE id='''");
You're URL string shouldn't look like anything like that, at least from what I know about asp, a ' isn't needed there, just do it like this:Originally Posted by rassenvn
I'm not using JScript myself, so I can't help you with the other stuff, but at least this line looks okay to me:Code:http://domain.com/web/product.asp?id=10540
The others look kind of strange to me, but as I said, I'm not using JScript but VB Script, so I don't know about them.Code:var sql; var p_id= Request.QueryString("id");
And yes, it's really difficult for me (non native English) to understand what you really want, so might have completely misunderstood, if that's the case, I'm sorry.
I think he's just trying to prevent SQL injection.
rassenvn; you're probably looking for something like this:
That will replace the ' in the variable.Code:i = Request.QueryString("id"); i = replace(i, "'", "''");
Dennis Pallett - NoCertainty - My Personal Weblog
The Web Network: ASPit | PHPit | WebDev-Articles
Blogs: TalkFones | Holidayzer | PHPit Blog
you see this is what I mean tho. Why prevent SQL injection unless he is forcing the script to inject. If he is using javascript to redirect a page with a querystring id. then why is there a quotation mark there in the first place. Why bother creating a script to remove it, when you can just remove it from the source?
Gav
a replace() func is same be not effected...i = Request.QueryString("id");
i = replace(i, "'", "''");
it's error
Posting Permissions
Bookmarks