Re: apostrophe problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"Rich" <rtillmore@xxxxxxxxx> wrote in message news:9e24c8f5-251c-439d-b44d-2dd929bdcb71@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am trying to make a dynamic dropdown list box that contains value
pulled from an Access database. The code is working properly except
when one of the values contains an apostrophe for example O'Leary.
When O'Leary shows up I get:
<option value='O'LEARY'>O'LEARY</option>
The system says there is an Extra quote character found or quote
character missing:
How can I fix it?

Thanks,

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/
TR/html4/strict.dtd">
<html>
<head>
<title>My first query</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<style type="text/css">
html, body {
height: 100%;
min-height: 100%;
}
body{
border:0;
margin:0px;
background-color:white;
color:black;
text-align:center;
}
select {
width:200px;
}
p {
width:200px;
}
</style>
</head>

<body>
<%@ Language = VBscript %>
<% Response.Buffer = True %>
<%
Dim objconn,objRS,strSQL1

Set objconn = Server.CreateObject("ADODB.Connection")
objconn.ConnectionString = "DRIVER=Microsoft Access Driver
(*.mdb);DBQ=" & Server.MapPath("db.mdb")
objconn.Open

Set objRs = Server.CreateObject("ADODB.Recordset")
strSQL1 = "SELECT name FROM Table1 ORDER BY name ASC"
objRS.Open strSQL1, objconn
Response.Write "<p>Search by Name: "
Response.Write "<select name=name><option value='' selected>Name</
option>"
Do While Not objRS.EOF
Response.Write "<option value='" & objrs("Name") &"'>"& objRs("Name")
&"</option>"
objRS.MoveNext
Loop
Response.Write "</select></p>"
objRs.Close
objconn.Close

%>

</body>
</html>


Use double quotes for your attribute values (double them up in strings to print them), and HTML encode your values.

Response.Write "<option value=""" & Server.HTMLEncode(objrs("Name")) &""">" & Server.HTMLEncode(objRs("Name")) &"</option>"

If you really must use a single quote (apostrophe) for your attributes, then replace the apostrpophes in your values with &apos;

Response.Write "<option value='" & Replace(Server.HTMLEncode(objrs("Name")),"'","&apos;") &"'>" & Server.HTMLEncode(objRs("Name")) &"</option>"


You should never just write data from anywhere, database or otherwise, into HTML unless you're sure it's already been encoded correctly, as you leave yourself option to XSS vulnerabilities if your variables/data is compromised.

--
Dan

.

Relevant Pages

  • Re: string manipulation .ASP script
    ... access database. ... shouldn't,) it will not go in because of the single quote mark. ... "Chr" is not an apostrophe, it's a string containing three characters, a start parenthesis, two digits and an end parenthesis. ... You shouldn't replace the apostrophe with an html identifier. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: apostrophe problem
    ... quote", only to reverse that in actual html text. ... I can't change the data so the apostrophe is a back ... Others might not match your experienced triviality level. ...
    (microsoft.public.inetserver.asp.db)
  • Re: apostrophe problem
    ... when one of the values contains an apostrophe for example O'Leary. ... The system says there is an Extra quote character found or quote ... only to reverse that in actual html text. ...
    (microsoft.public.inetserver.asp.db)
  • Re: apostrophe problem
    ... pulled from an Access database. ... The system says there is an Extra quote character found or quote ... only to reverse that in actual html text. ... I can't change the data so the apostrophe is a back quote. ...
    (microsoft.public.inetserver.asp.db)
  • Re: My code works but is clunky and inelegant; help to improve it?
    ... forms part of a larger HTML formatting module). ... This is another paragraph. ... the text and the format don't fit together. ... containing the word "quote" are quoted. ...
    (comp.lang.perl.misc)