handling single and double quotes for output as textbox values and database storage

whatemail used Ask the Experts™

I have never really found the perfect solution to this annoying question of how to handle single and double quotes entered by a user.  

I know how to replace the single quotes to insert the data into a database, but how do you get the information to show up properly in a form when you need to display the submitted data?  Specifically if you use double quotes in your HTML form tags to wrap values attributes, how do you display double quotes submitted by the user?  It allows cuts the data short as it thinks that the first double quote in the user's data is the end of the string for the value attribute.  

You must all know what i mean, right.  Have I just been stupid all this time, is there a solution?  

I am about to stop using textboxes all together and just use textareas!! but then you have the headache of dealing and validating textbox lengths, etc.  AHHHHH!!!

Please help, your insight might just save my sanity!

If you have a solution = 250 pts, I am really looking for some to add to my knowledge on this.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Represent double quotes with "

<input type=textbox value="&quot;Hello, world!&quot;">

the perfect and correct answer

does this not work?

<input type=text value='<%= server.htmlencode(recordset("fieldwithquotesin")%>'>

Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

well, that definitely wouldnt because i missed a bracket!

<input type=text value='<%= server.htmlencode(recordset("fieldwithquotesin"))%>'>

Server.HTMLEncode should do it, but beware, the function gives an error when the variable to be encoded is null.

<input type=text value="<%=Server.HTMLEncode("" & recordset("fieldwithquotesin"))%>">


So simple an answer!  

Just one sub-question, I think the Server.HTMLEncode seems more robust, but I am worried about Spanish characters, would Server.HTMLEncode affect multi-lingual characters too?

How's this for the final function then?
Function OutTextReplace(strOut)
     if len(strOut)>0 then
          Dim strProcessed
          strProcessed = replace(strOut,"''","'")
          strProcessed = Server.HTMLEncode(strOut)
          OutTextReplace = strProcessed
          OutTextReplace = strOut
     end if    
End Function

Would this seem like a good function to use?

mcallarse, hanneman, sybe all of your answers contributed something to this question.  Would you mind if I gave each of you 100 a piece?  I just can't afford 250 each.

Thanks for the comment graver.

it should work on spanish characters, it should work on any character at all, but i cant say for sure.

why are you using replace() as well? i thought the idea was to show the quotes as they are...

100 each is pretty extravagant! considering:

you dont seem to be using mcallarses solution, i only told you about one little function, and sybe just warned you about nulls.

save your points, give us 20 each if you want...




The first replace is actually how i am handling single quotes.  I have a function called InTextReplace() that replaces every single quote as two single quotes.  This way I can use sql statements for database insertions.

The replace in the OutTextReplace() simples reverts the two single quotes to be one single quote for proper displaying of text.

Is there a better method to this?

Although they seemed like small and simple answers, I assure you they have great value to me.

Thank you, I shall await the others before doling out the pts.
Re: Foreign characters, HTMLEncode may corrupt certain Unicode characters, per the following article from the MS KnowledgeBase:


In your code, would replace

strProcessed = Server.HTMLEncode(strOut)


strProcessed = Server.HTMLEncode(strProcessed)

Other than that, looks good.
if you double single quotes to put a string in a database, the database will store only one quote in the field. No need to reverse it.


sInputstring = "phrase with a ' quote"
MyId = 5
sSQL = "UPDATE tablename SET stringfield = '" & Replace(sInputstring,"'","''") & "' WHERE ID = " & MyId

then the SQL that goes to the database will be:

UPDATE tablename SET stringfield = 'phrase with a '' quote 'WHERE ID = 5

The single quote in that string means to the database that the string is not ended yet, but that there is a single quote in the string.
And the database will put the string with one single quote in the field, so:

phrase with a ' quote

if you get this out the database in a recordset, you get that back. No need to replace the two single quotes with one single quote, because one of the two is "lost" in the process of putting the data in the database. There are no double single quotes anymore.

Now there is another problem, the problem of double quotes in a string, that don't show up in textfields in a form.

you use HTML/ASP like this:

<input type="text" name="foo" value="<%=recordset("fieldname")%>">

The problem is that ="<%=recordset("fieldname")%> *can* contain double-quote("), and the HTML is then like:

<input type="text" name="foo" value="some string with " double quote">

The browser will interpret that the value of the textfield ends at the double-quote, and you see a textfield with:

          somestring with

in stead of

           somestring with " double quote

Now how to prevent that ??
That is where the Server.HTMLEncode comes in. In proper HTML you can not use double-quotes just like that, it is a "reserved character" and has a special meaning.
If you want to write a double-quote in proper HTML, you should write &quote;
There are many other characters in HTML which have a special meaning, and should be replaced by some special code. Like ">" and "<", and also non-standard characters (é, ë etc), have special HTMLcodes.

Server.HTMLEncode, does nothing else then just replace the characters in a string that should not be used, with their proper HTML equivalent.
Every browser will display those characters then correctly as intended.

does this help ?

No comment has been added lately and it seems that this question have been abandoned. So it's time to clean up this TA.

I will leave a recommendation in the Cleanup topic area that this question or invite a Moderator to close this question if there's no reply from you after seven days.

In the absence of responses, I will recommend the following:

To accept the comment and points awarded to  sybe


Just trying to help for the cleanup...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial