hi guys this is a silly but small and important one for me.
I have a jQuery that picks up a bit of string that has single quotes and results in not picking them up at all. i.e.
data-name='someone's name';
The jQuery that picks up the code
$('#id').text($(this).data("name"));
My guess is jQuery enclosing is '' rather "" so the ' in someone's name is closing the hence this results in someone
So I was trying to do the following--
string name = "someone's name";
//Attempted replace here
<div data-name='<%# Eval("name").ToString().Replace("'","\'") %>'></div>
But I'm getting Parser Error Message: The server tag is not well formed.
What am I doing wrong?
Trivially use double quotes data-name="someone's name"
To deal with strings that may contain either quotes you need to encode as HTML entities:
HttpUtility.HtmlAttributeEncode("someone's name") yields someone's name
(You need to use outer " as the quote for this to work correctly)
Related
I'm working with matching an entire string within single quotes. The problem is, these strings are dynamically generated and I need to ignore all other single quotes within the first set of quotes. I've come across other solutions that are similar but I can't seem to tweak them to my needs.
Here is what I've worked with so far:
'(?:''|[^'])*'
I would like to match essentially everything within the first and last single quotes between content: and ;
Some example text:
#bottom {
content: 'Here we have an embedded unescaped 'single' that is generated at runtime. {Let's ignore it
please'
;
}
This is the playground I've been working in:
https://regex101.com/r/ITHciu/2
Any help would be greatly appreciated.
If you absolutely have to use Regexes for this and you are certain that ; will not be inside the string you are searching for, you could try this: '[^;]*'\s*;$. It will select everything from a ' and go until a like that ends with whitesapce and a ;.
Edit: if you need the stuff between the ' and ';, you could use a group '([^;]*)'\s*;$.
However, a much cleaner solution would be to make a little parser, that will read the string char by char. It's a fun exercise if you got a little bit more time.
If nothing else, you could use that regex to correct the invalid syntax in your files. And tell the people manually writing them what the valid syntax should be.
Below I have a regex statement I have been working on for quite awhile. The problem I am having is that their are a lot of quotations I am trying to parse out (I think that's the terminology I am looking for) so Visual Studio is freaking out about it. I have tried to fix this using escape characters, but it still won't recognize the whole phrase.
Here is the phrase without the escape characters:
string exceptionPattern = #"(?:(?:"([^"}]*)")|(\w+))\s*:\s*(?:(?:"([^"}]*)")|(\w+))";
With just this code in, nothing else, almost every line in my code gets affected. Here is the code using escape characters:
string exceptionPattern = #"(?:(?:\"([^\"}]*)\")|(\w+))\s*:\s*(?:(?:\"([^\"}]*)\")|(\w+))";
Once this comes into play, only this line is not working. In VS, the ([^\ part close to the beginning is not highlighted, meaning that it is not in quotes. Does anyone have any idea on how I can fix this problem?
This is the string I am trying to match. Note: THIS IS NOT JSON! I have confirmed it many times with the developer who made the database where this sample is coming from and he confirmed it is not JSON, so please do not try to use JSON on this. Also, the regex I have is trying to match displayException and the message after it, and also exception and the message after that including success false, using the quotes as a point of splitting
{"data":"","displayException":"Invalid Account Status. Please complete the registration process by clicking the verification link in your eTTek Dash Registration Verification email. Please contact 1-800-341-6184 M-F 9a-5pm CT for further assistance.","exception":"UNABLE TO LOGIN","success":false}
Inside a verbatim string, to escape a double quotes you must need to add another double double quotes near to that like "". So the compiler treats "" as a double quotes or otherwise it would treat " as an end of the verbatim string.
The MySQL documentation says that it should be \'. However, both scite and mysql shows that '' works. I saw that and it works. What should I do?
The MySQL documentation you cite actually says a little bit more than you mention. It also says,
A “'” inside a string quoted with “'” may be written as “''”.
(Also, you linked to the MySQL 5.0 version of Table 8.1. Special Character Escape Sequences, and the current version is 5.6 — but the current Table 8.1. Special Character Escape Sequences looks pretty similar.)
I think the Postgres note on the backslash_quote (string) parameter is informative:
This controls whether a quote mark can be represented by \' in a string literal. The preferred, SQL-standard way to represent a quote mark is by doubling it ('') but PostgreSQL has historically also accepted \'. However, use of \' creates security risks...
That says to me that using a doubled single-quote character is a better overall and long-term choice than using a backslash to escape the single-quote.
Now if you also want to add choice of language, choice of SQL database and its non-standard quirks, and choice of query framework to the equation, then you might end up with a different choice. You don't give much information about your constraints.
Standard SQL uses doubled-up quotes; MySQL has to accept that to be reasonably compliant.
'He said, "Don''t!"'
What I believe user2087510 meant was:
name = 'something'
name = name.replace("'", "\\'")
I have also used this with success.
There are three ways I am aware of. The first not being the prettiest and the second being the common way in most programming languages:
Use another single quote: 'I mustn''t sin!'
Use the escape character \ before the single quote': 'I mustn\'t sin!'
Use double quotes to enclose string instead of single quotes: "I mustn't sin!"
just write '' in place of ' i mean two times '
Here's an example:
SELECT * FROM pubs WHERE name LIKE "%John's%"
Just use double quotes to enclose the single quote.
If you insist in using single quotes (and the need to escape the character):
SELECT * FROM pubs WHERE name LIKE '%John\'s%'
Possibly off-topic, but maybe you came here looking for a way to sanitise text input from an HTML form, so that when a user inputs the apostrophe character, it doesn't throw an error when you try to write the text to an SQL-based table in a DB. There are a couple of ways to do this, and you might want to read about SQL injection too.
Here's an example of using prepared statements and bound parameters in PHP:
$input_str = "Here's a string with some apostrophes (')";
// sanitise it before writing to the DB (assumes PDO)
$sql = "INSERT INTO `table` (`note`) VALUES (:note)";
try {
$stmt = $dbh->prepare($sql);
$stmt->bindParam(':note', $input_str, PDO::PARAM_STR);
$stmt->execute();
} catch (PDOException $e) {
return $dbh->errorInfo();
}
return "success";
In the special case where you may want to store your apostrophes using their HTML entity references, PHP has the htmlspecialchars() function which will convert them to '. As the comments indicate, this should not be used as a substitute for proper sanitisation, as per the example given.
Replace the string
value = value.replace(/'/g, "\\'");
where value is your string which is going to store in your Database.
Further,
NPM package for this, you can have look into it
https://www.npmjs.com/package/mysql-apostrophe
I think if you have any data point with apostrophe you can add one apostrophe before the apostrophe
eg. 'This is John's place'
Here MYSQL assumes two sentence 'This is John' 's place'
You can put 'This is John''s place'. I think it should work that way.
In PHP I like using mysqli_real_escape_string() which escapes special characters in a string for use in an SQL statement.
see https://www.php.net/manual/en/mysqli.real-escape-string.php
I am trying to query a database in WebMatrix, something I've done several times, only this time, I have found some fields in the vendors column contain ampersands. I have looked over several articles, but none attack this solution from a WebMatrix point of view (actually, none really solve the direct issue, at all, and are instead work arounds for that specific environment).
I have also tried several things including C#'s Replace method (although, I was never able to get a clear example of what I should replace the ampersand with, if anything exists as a suitable replacement, that is), and escaping the ampersand with a backslash (clearly this didn't work).
What would be ideal would be an escape character in the sql environment itself, but, afaik, no such escape character exists. What should I replace the following query with to return rows whose fields contain ampersands, like so:
SELECT vendor_id FROM vendors WHERE vendor_name = 'J & H Equipment'
The above query returns no rows even though the vendor_name column contains a value (string) that is exactly 'J & H Equipment'
It bares mentioning that I am parameterizing my queries, so the actual query looks like:
string selectQueryString = "SELECT ap_vendor_id FROM ap_vendors WHERE ap_vendor_name = #0";
var code = db.QueryValue(selectQueryString, searchString);
After this code, I simply write the value to the page (with razor, and yes I have tried Html.Raw(code) and #code), because this is an AJAX call.
Also, Below is the replace function I have tried running before the actual query:
searchString = searchString.Replace("&", "\\&");
Note that the double backslashes are necessary as the '\' character is an escape character in C#, so two '\' equates to one '\' in C#.
--------------------------MY SOLUTION---------------------------
For me the solution was to use encodeURIComponent in my javascript before the AJAX call (I'm sure it is clear, by now, that I haven't been using AJAX for long).
The solution is to use encodeURIComponent in the javascript before the AJAX call.
I want to add double quotes for a sting . I know by using /" we can add double quotes . My string is
string scrip = "$(function () {$(\"[src='" + names[i, 0] + "']\"" + ").pinit();});";
When i do this on the browser i am getting " instead of " quotes . How can i overcome with the problem ?
If your browser has displayed a """ instead of a " character, than there are only a few causes possible. The character should have been emitted to the browser as either itself, or as a HTML entity of ". Please note the semicolor at the end. If a browser sees such 'code', it presents a quote. This is to allow writing the HTML easier, when its attribtues need to contain special characters, compare:
<div attribute="blahblahblah" />
if you want to put a " into the blahs, it'd terminate the attribute's notation, and the HTML code would break. So, adding a single " character should look like:
<div attribute="blah"e;blahblah" />
Now, if you miss the semicolon, the browser will display blah"blahblah instead of blah"blahblah.
I've just noted that your code is actually glueing up the JavaScript code. In JavaScript, the semicolon is an expression delimiter, so probably there is actually a " in the emitted HTML and it is just improperly presented in the error message... Or maybe you have forgotten to open/close some quotes in the javascript, and the semicolon is actually treated as expression terminator?
Be also sure to check why the JavaScript code undergoes html-entity translation. Usually, blocks are not reparsed. Are you setting that JavaScript code as a HTML element attribute? like OnClick or OnSend? Then stop doing it now. Create a javascript-function with this code and call that function from the click/send instead.. It is not worth to encode long expressions in the JS into an attribute! Just a waste of time and nerves.
If all else fails and if the JavaScript is emitted correctly, then look for any text-correcting or text-highlighting or text-formatting modules you have on your site. Quite probable that one of them is mis-reading the html entities and removed the semicolon, or the opposite - that they add them were they are not needed. The ASP.Net itself in general does its job right, and it translates the entites correctly wherever they are needed, so I'd look at the other libraries first.
You can use something like this:
String str=#"hello,,?!"
This should escape all characters
Or
String TestString = "This is a <Test String>.";
String EncodedString = Server.HtmlEncode(TestString);
Here's the manual: http://msdn.microsoft.com/en-us/library/w3te6wfz.aspx
What else are you doing with the string?
Seems that somewhere after that the string gets encoded. You can could use HttpUtility.HtmlDecode(str); but first you'll have to figure out where your string gets encoded in the first place.
Keep in mind that if you use <%: %> in aspx or #yourvarin Razor it will get encoded automatically. You'll have to use #Html.Raw(yourvar) to suppress that.