Link to home
Start Free TrialLog in
Avatar of garethtnash
garethtnashFlag for United Kingdom of Great Britain and Northern Ireland

asked on

VBScript storing html encode in SQL Server 2008

I'm building a site using VBScript (Classic ASP), something i have always struggled with is storing user data correctly in the database, what I mean is where users enter data that contain @£$%^&*() etc, now i know to use Server.htmlencode when sending the data to be stored in the database, which means that & becomes & the issue I have is that users can edit data, and I don't want & to become & !

So my question, is, what is the correct way to handle this..

Thanks
Avatar of Big Monty
Big Monty
Flag of United States of America image

When displaying the data back to the user, you need to decode the data before displaying it. Unfortunately classic asp doesn't have a built in function to do this, so you'll have to code it yourself. Time following function should do what you want:

Function HTMLDecode(sText)
    Dim regEx
    Dim matches
    Dim match
    sText = Replace(sText, """, Chr(34))
    sText = Replace(sText, "<"  , Chr(60))
    sText = Replace(sText, ">"  , Chr(62))
    sText = Replace(sText, "&" , Chr(38))
    sText = Replace(sText, " ", Chr(32))


    Set regEx= New RegExp

    With regEx
     .Pattern = "&#(\d+);" 'Match html unicode escapes
     .Global = True
    End With

Open in new window

If you use an html editor like  Tiny MCE orCK Editor you can save html encoded and when you display using <textarea><%=rs("content")%></textarea> the entities will be converted as you expect.
Avatar of garethtnash

ASKER

Hi,

This is for standard input form items, not text areas. Quick question, is there a way to HTMLDecode using JQuery?

Thanks
the control doesn't matter. it can be either a text box or a textarea

If you wanted to do this client side (which I don't recommend unless you're also validating on the server as well, you could use the unescape function()

you could also try something like this for jquery:

var decoded = $("<input>").html( '<%=encodedData%>' ).text();

Personally, I'd stick with the server side solution
There shouldn't be a need to decode.  

If you encoded, it should still display correctly.  

If you you input "0 < 5" and encode it then display what is in the browser <input value="<%=rs("data")%>"> it should be fine.  

Try <input value="0 &lt; 5"> http://jsbin.com/diponalicu/1/edit
The reason I ask, is that I'm dynamically populating the form using query like

            $('#Edit_Job_Title').val($(this).data('jobtitle'));

Open in new window


Which loads the value stored in the link job title data attribute into the form input Edit_Job_Title, the value could contain a " if html decoded before it is loaded into the form input..

Thank you
did you try using the unescape() function?
So,

Doing this server side, presumably, I decode first and then encode?

Sorry, if I'm not making sense here but previously I server.htmlencode on first input, which stored &amp; and then I server.htmlencode on update, that ended up storing &amp;amp;

Presumably now i need to do something like

<%=Server.HTMLencode(HTMLDecode("Value"))%>

Appreciate all your thoughts.

Thank you
SOLUTION
Avatar of Big Monty
Big Monty
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you