Well, first, this is a bad design since it violates the first normal
form of DB design. BUt besides that, you can use Character Entity
References or Named Character References to replace these characters,
essentially encoding them to avoid them being viewed as metacharacters
in this context. HTMLEncode will handle some, but a better solution
is implementation of the OWASP Reform library which CER encodes
everything that isn't A-Z, 0-9, or the period or comma. Added
benefit, of course, in cross site scripting protection.
This should be applied to all dynamic data in your application. If it
is not in your template, i.e. its dynamically evaluated in CFOuput, it
should be encoded.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children."
-- John James Audubon
On Jun 12, 2008, at 4:25 PM, Ajas Mohammed wrote:
Hi,
I am displaying result set from a query in form fields like this,
where column xyz contains value like this "ajas, mohd"
i.e. with the quotes and comma.
<td><input type="text" name="xyz" value="#xyz#" size="15"></td>
The form doesnt not show the contents of the column because of the
quotes. So I am using replace function to remove the quotes. This
works fine. See below.
<td><input type="text" name="xyz"
value="#Replace(xyz,"""","","All")#" size="15"></td> This results in
ajas,mohd being shown in the text form field.
How do I make the column xyz's value to appear in form field with
quotes without using the replace function. Any ideas?
Or Do I have to tell client not to send values with quotes going
forward?
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high
intention, sincere effort, intelligent direction and skillful
execution; it represents the wise choice of many alternatives.
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
