subject:"RE\: \[ACFUG Discuss\] column contains \(quotes\) and comma ,"

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Dean H. Saxe

Well, first, this is a bad design since it violates the first normal  
form of DB design.  BUt besides that, you can use Character Entity  
References or Named Character References to replace these characters,  
essentially encoding them to avoid them being viewed as metacharacters  
in this context.  HTMLEncode will handle some, but a better solution  
is implementation of the OWASP Reform library which CER encodes  
everything that isn't A-Z, 0-9, or the period or comma.  Added  
benefit, of course, in cross site scripting protection.


This should be applied to all dynamic data in your application.  If it  
is not in your template, i.e. its dynamically evaluated in CFOuput, it  
should be encoded.


-dhs

Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"A true conservationist is a person who knows that the world is not  
given by his fathers, but borrowed from his children."

-- John James Audubon




On Jun 12, 2008, at 4:25 PM, Ajas Mohammed wrote:


Hi,

I am displaying result set from a query in form fields like this,  
where column xyz contains value like this "ajas, mohd"

i.e. with the quotes and comma.



The form doesnt not show the contents of the column because of the  
quotes. So I am using replace function to remove the quotes. This  
works fine. See below.


value="#Replace(xyz,,"","All")#" size="15"> This results in  
ajas,mohd being shown in the text form field.


How do I make the column xyz's value to appear in form field with  
quotes without using the replace function. Any ideas?


Or Do I have to tell client not to send values with quotes going  
forward?


--

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high  
intention, sincere effort, intelligent direction and skillful  
execution; it represents the wise choice of many alternatives.


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform


For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Dean H. Saxe

Do not store with entity encoding.  What happens when the data is  
later output to XML, PDF, Word, etc?  You encode on output to the  
target data sink (HTML, XML, PDF, SQL DB, LDAP, etc.) when pushing it  
to that target.  This, of course, is also to prevent XSS, SQL  
Injection, LDAP injection, etc.  Note that each requires a different  
type of encoding, specific to the target and the target platforms'  
characteristics.


-dhs


Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that  
we are to stand by the president right or wrong, is not only  
unpatriotic and servile, but is morally treasonable to the American  
public."

-- Theodore Roosevelt


On Jun 12, 2008, at 4:39 PM, Troy Jones wrote:

Is it possible to maybe use an HTML entity in storing the data in  
the first place? Maybe, replace the quotes with “"”? Just a  
thought.




Troy Jones

Dynapp Support Team

678-528-2952





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
Sent: Thursday, June 12, 2008 4:35 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,



of course this example may have problems too. It's not valid code  
for one thing and you might have the same problem with single quotes.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
Sent: 06/12/2008 4:31 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,

try this:









I think that might do what your asking.







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajas  
Mohammed

Sent: 06/12/2008 4:26 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] column contains " (quotes) and comma ,

Hi,



I am displaying result set from a query in form fields like this,  
where column xyz contains value like this "ajas, mohd"


i.e. with the quotes and comma.






The form doesnt not show the contents of the column because of the  
quotes. So I am using replace function to remove the quotes. This  
works fine. See below.




value="#Replace(xyz,"""","","All")#" size="15"> This results in  
ajas,mohd being shown in the text form field.




How do I make the column xyz's value to appear in form field with  
quotes without using the replace function. Any ideas?




Or Do I have to tell client not to send values with quotes going  
forward?


--

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high  
intention, sincere effort, intelligent direction and skillful  
execution; it represents the wise choice of many alternatives.



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-
-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-




-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Douglas Knudsen

URLEncodedFormat() perhaps?  see
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt2112.htm#1114140

For JS, use the JSStringFormat()
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/functions-pt1148.htm#1106993


DK
On Thu, Jun 12, 2008 at 4:51 PM, Ajas Mohammed <[EMAIL PROTECTED]> wrote:
>
> thanks guys,
>
> I tried evaluate function and it worked well
>
> 
>
> but iam goign to ask client not to send quotes with the field.
>
> Dusty , good trick but i want to do it right so i dont have to deal with 
> quotes or single quotes.
>
> Thanks,
>
> Ajas.
>
>
>
> On 6/12/08, Troy Jones <[EMAIL PROTECTED]> wrote:
>>
>> Is it possible to maybe use an HTML entity in storing the data in the first 
>> place? Maybe, replace the quotes with """? Just a thought.
>>
>>
>>
>> Troy Jones
>>
>> Dynapp Support Team
>>
>> 678-528-2952
>>
>>
>>
>>
>>
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
>> Sent: Thursday, June 12, 2008 4:35 PM
>> To: discussion@acfug.org
>> Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,
>>
>>
>>
>> of course this example may have problems too. It's not valid code for one 
>> thing and you might have the same problem with single quotes.
>>
>>
>>
>> 
>>
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
>> Sent: 06/12/2008 4:31 PM
>> To: discussion@acfug.org
>> Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,
>>
>> try this:
>>
>>
>>
>>
>>
>> 
>>
>>
>>
>> I think that might do what your asking.
>>
>>
>>
>>
>>
>>
>>
>> 
>>
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajas Mohammed
>> Sent: 06/12/2008 4:26 PM
>> To: discussion@acfug.org
>> Subject: [ACFUG Discuss] column contains " (quotes) and comma ,
>>
>> Hi,
>>
>>
>>
>> I am displaying result set from a query in form fields like this, where 
>> column xyz contains value like this "ajas, mohd"
>>
>> i.e. with the quotes and comma.
>>
>> 
>>
>>
>>
>> The form doesnt not show the contents of the column because of the quotes. 
>> So I am using replace function to remove the quotes. This works fine. See 
>> below.
>>
>>
>>
>> > size="15"> This results in ajas,mohd being shown in the text form field.
>>
>>
>>
>> How do I make the column xyz's value to appear in form field with quotes 
>> without using the replace function. Any ideas?
>>
>>
>>
>> Or Do I have to tell client not to send values with quotes going forward?
>>
>> --
>> 
>> http://ajashadi.blogspot.com
>> We cannot become what we need to be, remaining what we are.
>> No matter what, find a way. Because thats what winners do.
>> You can't improve what you don't measure.
>> Quality is never an accident; it is always the result of high intention, 
>> sincere effort, intelligent direction and skillful execution; it represents 
>> the wise choice of many alternatives.
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa=login.edituserform
>>
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by FusionLink
>> -
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa=login.edituserform
>>
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by FusionLink
>> -
>>
>> -
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa=login.edituserform
>>
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by FusionLink
>> -
>>
>&

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Ajas Mohammed

thanks guys,

I tried evaluate function and it worked well



but iam goign to ask client not to send quotes with the field.

Dusty , good trick but i want to do it right so i dont have to deal with
quotes or single quotes.

Thanks,

Ajas.




On 6/12/08, Troy Jones <[EMAIL PROTECTED]> wrote:
>
>  Is it possible to maybe use an HTML entity in storing the data in the
> first place? Maybe, replace the quotes with """? Just a thought.
>
>
>
> Troy Jones
>
> *Dynapp Support Team*
>
> 678-528-2952
>
>
>
>
>
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dusty Hale
> *Sent:* Thursday, June 12, 2008 4:35 PM
> *To:* discussion@acfug.org
> *Subject:* RE: [ACFUG Discuss] column contains " (quotes) and comma ,
>
>
>
> of course this example may have problems too. It's not valid code for one
> thing and you might have the same problem with single quotes.
>
>
>  --
>
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dusty Hale
> *Sent:* 06/12/2008 4:31 PM
> *To:* discussion@acfug.org
> *Subject:* RE: [ACFUG Discuss] column contains " (quotes) and comma ,
>
> try this:
>
>
>
>
>
> 
>
>
>
> I think that might do what your asking.
>
>
>
>
>
>
>  --
>
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Ajas
> Mohammed
> *Sent:* 06/12/2008 4:26 PM
> *To:* discussion@acfug.org
> *Subject:* [ACFUG Discuss] column contains " (quotes) and comma ,
>
> Hi,
>
>
>
> I am displaying result set from a query in form fields like this, where
> column xyz contains value like this *"ajas, mohd"*
>
> i.e. with the quotes and comma.
>
>
> 
>
>
>
> The form doesnt not show the contents of the column because of the quotes.
> So I am using replace function to remove the quotes. This works fine. See
> below.
>
>
>
>  size="15"> This results in *ajas,mohd* being shown in the text form
> field.
>
>
>
> How do I make the column xyz's value to appear in form field with quotes
> without using the replace function. Any ideas?
>
>
>
> Or Do I have to tell client not to send values with quotes going forward?
>
> --
> 
> http://ajashadi.blogspot.com
> We cannot become what we need to be, remaining what we are.
> No matter what, find a way. Because thats what winners do.
> You can't improve what you don't measure.
> Quality is never an accident; it is always the result of high intention,
> sincere effort, intelligent direction and skillful execution; it represents
> the wise choice of many alternatives.
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink <http://www.fusionlink.com/>
> -
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink <http://www.fusionlink.com/>
> -
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink <http://www.fusionlink.com/>
> -
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by FusionLink <http://www.fusionlink.com/>
> -
>



-- 

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. B

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Troy Jones

Is it possible to maybe use an HTML entity in storing the data in the
first place? Maybe, replace the quotes with """? Just a thought.

 

Troy Jones

Dynapp Support Team

678-528-2952

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
Sent: Thursday, June 12, 2008 4:35 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,

 

of course this example may have problems too. It's not valid code for
one thing and you might have the same problem with single quotes.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
Sent: 06/12/2008 4:31 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,

try this:

 

 



 

I think that might do what your asking.

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajas
Mohammed
Sent: 06/12/2008 4:26 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] column contains " (quotes) and comma ,

Hi,

 

I am displaying result set from a query in form fields like this, where
column xyz contains value like this "ajas, mohd"

i.e. with the quotes and comma.




 

The form doesnt not show the contents of the column because of the
quotes. So I am using replace function to remove the quotes. This works
fine. See below.

 

 This results in ajas,mohd being shown in the text form
field.

 

How do I make the column xyz's value to appear in form field with quotes
without using the replace function. Any ideas?

 

Or Do I have to tell client not to send values with quotes going
forward?

-- 

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it
represents the wise choice of many alternatives. 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 
- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 




-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Dusty Hale

of course this example may have problems too. It's not valid code for one
thing and you might have the same problem with single quotes.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Hale
Sent: 06/12/2008 4:31 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] column contains " (quotes) and comma ,

try this:

I think that might do what your asking.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajas Mohammed
Sent: 06/12/2008 4:26 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] column contains " (quotes) and comma ,

Hi,

I am displaying result set from a query in form fields like this, where
column xyz contains value like this "ajas, mohd"
i.e. with the quotes and comma.

The form doesnt not show the contents of the column because of the quotes.
So I am using replace function to remove the quotes. This works fine. See
below.

 This results in ajas,mohd being shown in the text form
field.

How do I make the column xyz's value to appear in form field with quotes
without using the replace function. Any ideas?

Or Do I have to tell client not to send values with quotes going forward?

-- 

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it represents
the wise choice of many alternatives. 

- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 
- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink <http://www.fusionlink.com>  
- 

-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

2008-06-12 Thread Dusty Hale

try this:
 
 

 
I think that might do what your asking.
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajas Mohammed
Sent: 06/12/2008 4:26 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] column contains " (quotes) and comma ,


Hi,
 
I am displaying result set from a query in form fields like this, where
column xyz contains value like this "ajas, mohd"
i.e. with the quotes and comma.


 
The form doesnt not show the contents of the column because of the quotes.
So I am using replace function to remove the quotes. This works fine. See
below.
 
 This results in ajas,mohd being shown in the text form
field.
 
How do I make the column xyz's value to appear in form field with quotes
without using the replace function. Any ideas?
 
Or Do I have to tell client not to send values with quotes going forward?

-- 

http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it represents
the wise choice of many alternatives. 

- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink   
- 



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

Re: [ACFUG Discuss] column contains " (quotes) and comma ,

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

RE: [ACFUG Discuss] column contains " (quotes) and comma ,

7 matches

Site Navigation

Mail list logo

Footer information