I've tried to search but didn't found an answer.
I've created with PL/SQL, HTML, CSS and Javascript a web application.
People can search for article and write a comment to These articles.
If they click the submit button it starts to search with the conditions of the customer.
I send the conditions as param and store them into variables.
After that I start my Statement and refresh the page with the new records.
If someone writes a comment with Special characters like
(&, %, ", ', _)
my page crashes because the Statement string isn't correct anymore.
The Statement Looks like
SELECT * FROM myTable
WHERE Name LIKE ('''%'||nameVar||'%''');
Excuse my english
Thanks
Ok, first your question about "ESCAPING" lead me to the wrong way, because you can define a "ESCAPE" character for a like Statement: This would take your % or _ in your Statement literal:
where ..... like '%\%%' ESCAPE '\'
should find a record with an % in the column.
BUT THATS NOT YOUR PROBLEM!
Your web application has to HTML encode your string - then you can store it in any database.
This has to be done by your frontend (whatever it is: ASP.NET, PHP, etc ...)
After a short Google search I found this: HTF Package, the HTF.ESCAPE_SC function encodes the string to be useable in SQL Statements.
Maybe this link helps you: https://docs.oracle.com/cd/B14099_19/web.1012/b15896/pshtp.htm
Related
Let me preface this by stating very clearly that I am not a developer and I'm new to NetSuite formulas.
I have a NetSuite saved search that include the Web Address (field id: {url})
I need to remove everything except the main part of the domain (end result should look like abc.com).
I have attempted to use REPLACE({url}, 'http://[,' ']) unsuccessfully.
I have also attempted various LTRIM, RTRIM, TRIM formulas without luck.
I found some information on using REGEXP_SUBSTR, but wasn't successful there either.
I was able to accomplish my goal in Excel using Excel string functions MID, LEN, and RIGHT, but that doesn't seem to translate in NetSuite.
I'd love some assistance.
REGEXP_SUBSTR({url}, '//(.)+') --> get substring starting with //
REPLACE({text}, '/') --> replace / with nothing
The final formula is:
REPLACE(REGEXP_SUBSTR({url}, '//(.)+'), '/')
Jala's answer doesn't seem to work for URLs such as https://stdun7.wixsite.com/stdunstansparish where it returns stdun7.wixsite.comstdunstansparish
In your saved search create a Forumula (Text) field with the following formula
REGEXP_REPLACE({url},'(^http[s]?://)([a-zA-Z0-9.-])(/?.)', '\2')
I'll break down the arguments for the REGEXP_REPLACE function and how it all works...
First argument - {url} the Field containing the url information to parse
Second argument - regexp string
Third argument = replace regexp string
the regexp string has parentheses to denote capture groups of portions of the regular expression.
The first capture group captures the protocol portion of the URL.
The second capture group captures the next part, all permissible hostname characters until the end of the string, or until a '/'
The third capture group captures the remaining portion of the string.
The replace string is used to prepare the return value of the REGEXP_SUBSTR function. Since the entire url is matched by the regexp, the entire string will be replaced by this expression, referencing the second capture group. (aka the hostname)
Since you say you're new to NetSuite formulas, I'll note that those functions are based on Oracle PL/SQL so if you want additional info or examples of how they work beyond what NetSuite provide, sometimes it's instructive to just google things like "pl/sql REGEXP_SUBSTR" etc. to get additional documentation how how they work.
Another good resource is regex101.com, a helpful site to test regular expressions in advance....
I have implemented a routing functionality successfully in my project (a news website):
Sub RegisterRoutes(ByVal routes As RouteCollection)
routes.MapPageRoute("ndetails", "news/{title}/{id}/", "~/newsdetail.aspx")
End Sub
and I set the URLs like this (databound to a repeater):
href="<%# Page.GetRouteUrl("ndetails", new with { .title= Server.UrlEncode(Eval("Title")), .id= Eval("NewsID")})%>"
The URL produced is like:
/this%20is%20a%20news%20item/89
As can be seen above, the URL part is difficult to read and I would like it to be like:
/this_is_a_news_item/89
I thought of going for a Replace function. But then, since the user creating the news might enter any string, I have to take into account all the other characters that might need to be replaced.
I just wanted to know from an experienced developer, whether going with a long replace function is the way to go, or is there another solution to format my URLs in this rouitng scenario.
Many thanks in advance
AFAIK there is no built in funcitonality in the framework to make url "pretty". You have to implement your own url fo rewriting the title.
In the save of your entities simply use a function that do the replaces that you need (' ' with '_' or example) and then use UrlEncode.
You can also use a Regular expression to do the replacement in one go.
I'm doing some client-side stuff with Javascript/JQuery with .Net controls which expose their GUID/UniqueIdentifier IDs on the front end to allow them to be manipulated. During debugging something is driving me crazy: The GUIDs in the db are stored in uppercase, however by the time they make it to the front end they're in lowercase.
This means I can't quickly copy and paste IDs into the browser's console to execute JS on the fly when devving/debugging. I have found a just-about-workable way of doing this but I was wondering if anyone knew why this behaviour is the case and whether there is any way of forcing GUIDs to stay uppercase.
According to MSDN docs the Guid.ToString() method will produce lowercase string.
As to why it does that - apparently RFC 4122 states it should be this way.
The hexadecimal values "a" through "f" are output as lower case characters and are case insensitive on input.
Also check this question on SO - net-guid-uppercase-string-format.
So the best thing you can do is to call ToUpper() on your GUID strings, and add extension method as showed in the other answer.
If you're using an Eval template, then I'd see if you can do this via an Extension method.
something like
public static string ToUpperString(this Guid guid, string format = "")
{
string output = guid.ToString(format);
return output.ToUpper();
}
And then in your Eval block,
myGuid.ToUpperString("B")
Or however you need it to look.
I'm on my Mac at the moment so I can't test that, but it should work if you've got the right .Net version.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".
I'm building an automated RSS feed in ASP.NET and occurrences of apostrophes and hyphens are rendering very strangely:
"Here's a test" is rendering as "Here’s a test"
I have managed to circumvent a similar problem with the pound sign (£) by escaping the ampersand and building the HTML escape for £ manually as shown in in the extract below:
sArticleSummary = sArticleSummary.Replace("£", "£")
But the following attempt is failing to resolve the apostrophe issue, we stil get ’ on the screen.
sArticleSummary = sArticleSummary.Replace("’", "’"")
The string in the database (SQL2005) for all intents and purposes appears to be plain text - can anyone advise why what seem to be plain text strings keep coming out in this manner, and if anyone has any ideas as to how to resolve the apostrophe issue that'd be appreciated.
Thanks for your help.
[EDIT]
Further to Vladimir's help, it now looks as though the problem is that somewhere between the database and it being loaded into the string var the data is converting from an apostrophe to ’ - has anyone seen this happen before or have any pointers?
Thanks
I would guess the the column in your SQL 2005 database is defined as a varchar(N), char(N) or text. If so the conversion is due to the database driver using a different code page setting to that set in the database.
I would recommend changing this column (any any others that may contain non-ASCII data) to nvarchar(N), nchar(N) or nvarchar(max) respectively, which can then contain any Unicode code point, not just those defined by the code page.
All of my databases now use nvarchar/nchar exclusively to avoid these type of encoding issues. The Unicode fields use twice as much storage space but there'll be very little performance difference if you use this technique (the SQL engine uses Unicode internally).
Transpires that the data (whilst showing in SQLServer plain) is actually carrying some MS Word special characters.
Assuming you get Unicode-characters from the database, the easiest way is to let System.Xml.dll take care of the conversion for you by appending the RSS-feed with a XmlDocument object. (I'm not sure about the elements found in a rss-feed.)
XmlDocument rss = new XmlDocument();
rss.LoadXml("<?xml version='1.0'?><rss />");
XmlElement element = rss.DocumentElement.AppendChild(rss.CreateElement("item")) as XmlElement;
element.InnerText = sArticleSummary;
or with Linq.Xml:
XDocument rss = new XDocument(
new XElement("rss",
new XElement("item", sArticleSummary)
)
);
I would just put "Here's a test" into a CDATA tag. Easy and it works.
<![CDATA[Here's a test]]>