asp.net 中撇号的编码字符串
我在尝试解决撇号相关问题时遇到问题。
我已经搜索过,但找不到任何对我有帮助的东西。
我的客户端 JavaScript 代码是:
var strUserText = uSettings.replace(/'/g, "'")
执行上述行后,表单
document.form1.submit();
在代码后面进行提交,一个类检索这些值:
sUserSettings = request.form("strUserSettings ")
结果是一个半截断的字符串。
鉴于上述代码流程,如何将“John O'Brady's ASP Blog”保存到数据库中?
我以为我正在保存“John O'Brady 的 ASP 博客”,但这不起作用。
I am having a problem trying to resolve an apostrophe related issue.
I have searched SO, but could not find anything that would help me.
My clientside javascript code is:
var strUserText = uSettings.replace(/'/g, "'")
after the above line is executed, the form does a submit
document.form1.submit();
in code behind, a class retreives those values:
sUserSettings = request.form("strUserSettings ")
the result is a semi-truncated string.
Given the above code process flow, how can I save "John O'Brady's ASP Blog" in to a database?
I thought I was saving "John O'Brady's ASP Blog" but that isn't working.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你的问题很模糊。为什么要对撇号进行编码?它破坏了你的输出吗?
最好的方法是将数据按原样提交到数据库...蹩脚的 JavaScript 注入、撇号、html 标记等等。然后您只需对输出进行编码即可。
另外,如果您使用的是最新版本的 .NET,则可以按如下方式对输出进行编码
(假设 strUserText 字符串变量已在视图中提前设置)
Your question is quite vague. Why are you encoding the apostrophe? Is it breaking your output?
The best way to do it would be to submit your data AS-IS to the database... crappy JavaScript injection, apostrophe's, html markup, and all. Then you simply encode the output.
Also, if you're using the latest version .NET, you can encode the output as follows
(assuming the strUserText string variable is set earlier in your view)
在任何情况下,您都不应“按原样”获取数据输入并将其插入数据库中; 严重的禁忌。至于撇号 - 您可以看看这个解决方案:
在参数中调用带撇号的存储过程不起作用
您的问题很模糊,但上面的链接应该告诉您解决方案在于 SQL 查询的制定方式。最重要的是,您需要实现正确的 数据输入的验证/过滤并对其进行编码将其插入数据库之前。
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting% 29_Prevention_Cheat_Sheet
Under no circumstances should you ever take data input "as is" and insert it in a database; serious no-no. As regards the apostrophe - you can take a look at this solution:
calling stored procedure with apostrophe in argument doesn't work
Your question is vague but the above link should clue you into the fact that the solution lies in the way the SQL query is formulated. Above all else, you need to implement proper data validation/filtering of the input and encode it BEFORE inserting it in the database.
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
不要这样做:
原因是 HTML 使用“&”用于分隔查询字符串和表单字段的字符。
我建议您按原样发布数据,并处理替换服务器端。
don't do this:
the reason is that HTML uses the "&" character to delimit query strings and form fields.
I suggest you POST your data AS IS, and handle the replace SERVER SIDE.
当尝试将 John O'Brady's ASP Blog 保存到数据库中时,不要使用 Javascript 函数,而是使用:
Server.HTMLEncode("John O'Brady's ASP Blog")上述结果将是
John O'Brady's ASP Blog从数据库检索并想要显示它时使用
Server.HtmlDecode(NameField)其中 NameField 是表中列的名称。
这将导致 John O'Brady 的 ASP 博客
Instead of Javascript function,when trying to save John O'Brady's ASP Blog into the database use:
Server.HTMLEncode("John O'Brady's ASP Blog")result of above will be
John O'Brady's ASP BlogAnd when retrieving from the database and want to display it use
Server.HtmlDecode(NameField)where NameField is the name of the column in the table.
this will result in John O'Brady's ASP Blog