The essential problem with quotes is that they're used with display programming logic (such as with HTMLPHP, ASP, JSP or even SQL).Because quotes are used to delineate strings, having a string with aquote in it can cause undue problems. Luckily there is an easysolution. Since browsers display HTML ASCIIas regular text you can simply transform all your single and doublequotes that appear in text for display into their ASCII equivalent.
TheASCII code for a single quote is ' and similarly a double quotecan be represented in HTML as ".
Using these values it is easyto display both single and double quotes in HTML output withoutinterfering with any programmatic use of the quotes. This means thatquotes in display text won't interfere with any string delimitingquotes for display.
For instance, many times you'll run into thefollowing problem: and Javascript) as well as within back end programming (using scripting languages such as
As you can see, the quotation marks inside the valueattribute are going to wreak havoc with the display since the browserwill interpret them as closing the value attribute and so the rest ofthe string won't actually display within the text box. The followingcode will, however, display properly:
Even worse is the following problem:
$sql = 'insert into comment
(comment_body)
values ('There wasn't any way to accomplish it.');
mysql_query($sql);
?>
You can see how the above string is going to destroy the SQLinsert query right away. The single quote in the input string willprematurely terminate the SQL statement, resulting in an error (atbest). Although there are ways to deal with problematic input on theback end, it is often easier to scrub input on the front end first,insuring that form data is submitted cleanly. Using Javascript for thispurpose is lightweight and handy.This function searches through the values of all the elements in the form named 'theForm' on the page. Call it with
Remember, however, that a malicious user could bypass this checksimply by disabling Javascript in their browser. As a rule of thumb youshould never trust user input. Make sure that your back end code checksfor and escapes any quotes that could cause problems!
This will allow the function to run when the form is posted. Include the following Javascript snipit in your document as well:
Try it:
0 comments:
Post a Comment