|
-
Sep 16th, 2013, 01:19 PM
#1
Thread Starter
Hyperactive Member
Does not work in CHROME ?? charachter replacement
Why does not CHROME recognize this?
<script type="text/javascript" language="javascript">
function convertquotetospace()
{ if (event.keyCode == 39) { event.keyCode = 94; } }
document.onkeypress = convertquotetospace;
</script>
In every other browser if a ' is entered it converts it to a ^
why .. or what else to do? I want it in the html
gollnick
-
Sep 16th, 2013, 01:26 PM
#2
Re: Does not work in CHROME ?? charachter replacement
You're not passing "event" into the function itself.
Try
Code:
<script type="text/javascript" language="javascript">
function convertquotetospace(event)
{ if (event.keyCode == 39) { event.keyCode = 94; } }
document.onkeypress = convertquotetospace;
</script>
Although I'm surprised that works on any browser without the event object being passed in.
-
Sep 18th, 2013, 05:52 AM
#3
Thread Starter
Hyperactive Member
Re: Does not work in CHROME ?? charachter replacement
Nope.. sorry .. does not work. Now I get this on the keystroke
"Microsoft JScript runtime error: 'keyCode' is null or not an object"
gollnick
-
Sep 18th, 2013, 07:16 AM
#4
Re: Does not work in CHROME ?? charachter replacement
I changed your event to run on a textbox rather than the document itself, but this code should work.
Code:
<script type="text/javascript" language="javascript">
function convertquotetospace(event){
if (event.keyCode == 39) {
this.value += String.fromCharCode(94);
return false;
}
}
document.getElementById("test").onkeypress = convertquotetospace;
This should work in all browsers and IE9+.
-
Sep 18th, 2013, 07:35 AM
#5
Thread Starter
Hyperactive Member
Re: Does not work in CHROME ?? charachter replacement
Sorry.. nope .. did nothing. Besides looking at this it seems I will need the "document.getElementById" for each and every field on my form.. and not only this form but the 35 other forms in this web project. Would not be an issue if SQL did not toss it's cookies when it encounters a " ' " in an update/set or insert string
gollnick
-
Sep 18th, 2013, 07:49 AM
#6
Re: Does not work in CHROME ?? charachter replacement
If it did nothing, then you've done something wrong or are using IE8 or below.
If you're having SQL issues, then this has nothing to do with sanitizing the textboxes using javascript, you need to use parameterized queries in SQL.
Post the code you're using to insert SQL and we can probably fix that.
Also, I used getElementById to add the event handler, but you could always associate it with a class (or even the input element) and then simply add the class to each element you want to validate.
-
Sep 18th, 2013, 08:01 AM
#7
Thread Starter
Hyperactive Member
Re: Does not work in CHROME ?? charachter replacement
Sorry.. I have no control over browser type.. Could be ie6 ie7 ie8 ie9 Safare firefox or jungle jims......
That script works everywhere BUT Chrome
Here is the SQL string
INSERT into SNAPTEST.BILLING VALUES (92,92,15797,92,5,961,1,0.25,'N',5,3.00,0,0,15.00,0,' ',0,'2013-09-18','2013-09-18','AD WASN'T ALLOWED ',' ',0,0,2,2.990,44.85,0.000,0.00,44.85,'AH',' ',' ',2,2.25,' ',' ',0.00,' ',' ',1,'09205 I1 0 ',1,'S',' ',' ',' ',' ',' ',0,0,'0',0,0,'ABC SEAMLESS OF OMAHA ',0,0,0,0,' ',94,0,' ',' ',9.00,0.00,' ',' ','0 ','bill ','2013-09-18',246,1,'201309')
Please notice the extra single quote in the phrase AD WASN'T ALLOWED... on the *This._Command.ExecuteNonQuery() is where it's tossing.....
gollnick
-
Sep 18th, 2013, 08:05 AM
#8
Re: Does not work in CHROME ?? charachter replacement
It is the way you're concatenating the query. If you use parameterized queries, it will automatically escape single quotes for you.
Are you using VB.NET or C#? If you give me that information, I can write up an example on how to write your query using parameterized queries.
Basically, what you have right now is an SQL injection security hole. If I were to disable javascript, I could insert a single quote into your textbox and add something like
'; truncate table SNAPTEST.BILLING; --;
Which would, instead of inserting into your table, delete all values from your SNAPTEST.BILLING table.
Last edited by kfcSmitty; Sep 18th, 2013 at 08:08 AM.
-
Sep 18th, 2013, 08:16 AM
#9
Thread Starter
Hyperactive Member
Re: Does not work in CHROME ?? charachter replacement
Using VB..
Also .. tried what you entered above in the textbox (which ties to a description field in the file) and it did nothing but add that as the description. That's it
gollnick
-
Sep 18th, 2013, 08:24 AM
#10
Re: Does not work in CHROME ?? charachter replacement
Code:
Dim con As SqlConnection = New SqlConnection("your connection string here")
con.Open()
Dim query As String = "INSERT INTO SNAPTEST.BILLINGVALUES (@firstValue)"
Dim cmd As SqlCommand = New SqlCommand(query, con)
With cmd.Parameters
.Add(New SqlParameter("@firstValue", insertValue.Text))
End With
cmd.ExecuteNonQuery()
con.Close()
con = Nothing
Using parameterized queries like this, users can enter whatever they want into the "insertValue" textbox, even a single quote, and it will insert it into the database. You will not have to worry about SQL injection.
Obviously the above example is just an example, as you have many more fields to insert, but if you add more parameters, it will fix everything up.
 Originally Posted by gollnick
Using VB..
Also .. tried what you entered above in the textbox (which ties to a description field in the file) and it did nothing but add that as the description. That's it
gollnick
I would have to play around a bit as I believe the code snippet I posted was a MySQL comment. The point stands, and is not arguable, that the SQL you posted, and the fact you're trying to remove single quotes from the values you're adding, opens you up to SQL injection. If you do a bit of Googling on the subject, I bet you can find an example that will wipe all of your data.
Last edited by kfcSmitty; Sep 18th, 2013 at 08:30 AM.
-
Sep 18th, 2013, 09:00 AM
#11
Thread Starter
Hyperactive Member
Re: Does not work in CHROME ?? charachter replacement
So you are saying do it this way... Ok .. I'll try it
Dim query As String = "INSERT INTO SNAPTEST.BILLING (@firstValue , @NextValue1 , @NextValue2 , @NextValue3 , @NextValue4 )"
Dim cmd As SqlCommand = New SqlCommand(query, con)
With cmd.Parameters
.Add(New SqlParameter("@firstValue", insertValue.Text))
.Add(New SqlParameter("@NextValue1", insertValue1.Text))
.Add(New SqlParameter("@NextValue2", insertValue2.Text))
.Add(New SqlParameter("@NextValue3", insertValue3.Text))
.Add(New SqlParameter("@NextValue4", insertValue4.Text))
End With
-
Sep 18th, 2013, 09:11 AM
#12
Re: Does not work in CHROME ?? charachter replacement
Yup, that looks right. If you do that, it doesn't matter what a user enters into the textbox, it will insert properly into the database and you won't have to worry about escaping anything.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|