JS, ASP: Code blocker

**invitro** · May 24th, 2003, 12:17 AM

What I'm creating is a forum.

What is the best way to block problems in a user message.
For example I do not want them inputing their own HTML:

Code:

<B><I>

Also, no Javascript:

Code:

<SCRIPT> 
 open infinate windows
</SCRIPT>

ect.
Do you see what I mean?

I hird a while ago of a command called [scriptblock]
but that is not poping up any search results on this forum or google.

I don't want my forum running any JS code, or even html for malicious potential. I might eventualy add [b] tags and such in time for formating.

Thanks for the help!

**The Hobo** · May 25th, 2003, 07:49 PM

I know you're coding in ASP, but in PHP, there's quite a few functions to accomplish this, such as htmlspecialchars() and htmlentities().

However, I'm pretty sure searching for < and > and replacing them with < and > (respectively) before displaying the message will accomplish the same thing those PHP functions do.

I'm not sure of syntax, so if you need help, I'm sure someone else will provide you with it.

**invitro** · May 25th, 2003, 09:26 PM

Thank you, I will look into that.
But what about if the user puts " in their message, isen't that going to throw off my SQL statements?

Code:

	strSQL = "";
	strSQL += "INSERT INTO tblMessages ";
	strSQL += "(strBody) ";
	strSQL += "VALUES (' " + strMessage + " ' ");

Now, lets say strMessage is the Body that the user typed in and is going to be sent to my database through this SQL statement.

I put extra spaces in the quotes on the last function there just to seperate single and double quotes and make em easier to read.

So, if was strMessage = ...and then he said, "Hello, world'.

When passed in as strMessage would that not confuse my SQL Server with the additional " and ' and therefore would result in an error.

Is there a replacement string like the &lt ect. like you listed above for quotes and double quotes?

**The Hobo** · May 25th, 2003, 09:55 PM

I'm not sure if it'll mess up the SQL statement...I guess you'll just have to try it. I'm pretty sure PHP takes care of that, although we do have a addslashes() function just in case.

If there's a replace function, you could just replace all occurances of ' or " with \' and \".

That should do it.

**invitro** · May 25th, 2003, 10:41 PM

Yes, your right... I could just write a function that scans the users input and replaces 'with \' and \" ect. ect.

I'm not going to put a resolved in the subject yet because i havent tested it, but i will do so tomorrow.

**CornedBee** · May 26th, 2003, 02:17 AM

Again, in PHP there would be escapequotes().

Maybe you should switch to PHP or JSP

**invitro** · May 26th, 2003, 02:22 AM

Maybe you should switch to PHP or JSP

But I like ASP

Everything aside, i have to use ASP cause everything has been writen in ASP and the server only runs ASP and SQL. No mySQL or linux. And besides, its a good challenge.

**The Hobo** · May 26th, 2003, 11:10 AM

Did you get everything working with the replaces?

**invitro** · May 26th, 2003, 11:18 AM

I actually haven’t gotten a chance to create a replace function yet. Unfortunately, this week out of many, is a test week and I will probably be at school studying. Got to maintain that GPA. I might sit down and spend a few hours on it tonight when the first one will be over.

Thread: JS, ASP: Code blocker

Thread Tools

Display

JS, ASP: Code blocker

Posting Permissions