Don't want ASP.net escape my string from database - asp.net

I have a field with product name
abc® product1
If I get the data from the database and databind it to the dropdownlist. It becomes
<option value="2">abc &reg; product1</option>
I don't want ASP.net to escape the ® to %amp;reg.
What should I do?

i'm using such thing (see below), maybe it will help you
first i'm encoding data (special symbols) in numeric entites, when push data in database
when i receive it from database, i write such thing in View:
<% =Html.TextBox("test", Model.test).ToString().Replace("&#", "&#")%>
point is, that when you writing Model.test, that actually means Html.Encode(Model.test)
in my case i don't want to simly decode it (because it could be XSS for example), but write only correct data to input value

In your database you shouldn't store abc® product1 but abc® product1. Then when this value is rendered on the page you need to HTML encode it which happens automatically if you use <asp:DropDownList.

As the above person mentioned, abc® is a REALLY bad feild name.
Does it HAVE to be that?

You want to HTML encode the string prior to it being shown in the HTML. This will preserve its name

Related

Laravel Form input type="text" select data from another table on type type suggest existing data from the table and select

How can i create a form like the one on linkedin. On form input type when i type is going to fect data from a database if not existis is going to create it and fetch d and store to another table
on form input type, immediately get result: This can be done by AJAX. Laravel support Vue which can do this easily:
1a. call a function in the mounted() part.
1b. the function call itself by putting setTimeout(this.functionName,1000) at the end.
1c. in the function, check if the text in the text box is changed. if yes, make a request by axios.get('blablabla').then(response=>{//put the response into vue dataArrayName in data part});
1d. the html template is auto-updated by v-for="dataArrayName"
looks like the search is done by comparing char by char from the beginning of the string to the data.
if you press enter, pass the search string to the controller, use some logic to determine whether it is needed to create row in database

Store ID and Text

How can I set some text to a label but also store its ID. For instance I'm taking an ID/text value pair and painting the text in a label but I need to store the ID somewhere to be able to retrieve both that text value and ID later on for some more logic in the page.
I don't think you can store an ID in a label...which is what I'm using. I can append html() to the label using jquery's html() function but then I do not know if this is a good html control to be using as I can't store the ID anywhere.
It is probably obvious what my choices are but honestly I've never come across this issue before. I thought I could use an asp.net literal but I don't think that's gonna help me either with storing the ID.
When I'm required to do this, e.g. inside a Repeater, I solved this storing the ID inside an additional hidden field.
This enabled me to later retrieve the ID back, e.g. after a postback or through JavaScript in the client.
See this MSDN page for a description of the Value property as well as an example that deals with JavaScript and postback.
if you are using jQuery,you can use jQuery.data(); for this. And if you are using HTML5 , you can use client side storage.
You have several options.
Convert the value to a string and store the value in a HiddenField.
Store the value in the Session.
Store the value in the ViewState.
You have 3 options to store your ID:
Session Variable
ViewState
HiddenField

Using / in query strings

I am trying to use query strings in ASP.NET. I have a requirement of the following format
http://localhost/website/1/?callback=?
Here 1 denotes the ID of the profile. This means some info from id=1 will be fetched through the string
If this would have been website/2/?callback=? , then the id would be 2. My questions is to how do I use this /id/ as a query string so it can be used to fetch the profile ID. This was my first preference to use /id/ format otherwise I could look into fetching using two ?'s
If the id =1, I want to fetch ID=1 particulars from DB on this page. http://localhost/website/1/?callback=?
In your case the ID is in the PATH, not the query string. You can access the path via Request.Path in an ASPX page. From there you would need to do some string parsing to get at the portion of the path where you expect the ID to be.
In your case I would probably use something like int.Parse(Request.Path.Split(new char[] {'/'}, StringSplitOptions.RemoveEmptyEntries)[1]), but please note that I've made that line pretty dense for brevity's sake. For starters, you should use int.TryParse() instead of int.Parse(). This code assumes that the ID will always be in the same place in the url. For example, it will work for "/website/2/" and "/user/2/", but not for "/website/somethingelse/2/".
UriTemplate might be a good choice for that sort of parsing. Not to mention, probably a bit more clear and explicit about what's happening.
Check out: http://msdn.microsoft.com/en-us/library/system.uritemplate(v=VS.90).aspx

Processing variable number of form fields

I am working on a form which displays information about orders. Each order has a unique id, but they are not necessarily sequential on the form. Also, the number of fields can vary (one field per row on the form). The input into the form will not be mapped straight into the database, but will be added to the current value in the database, and then saved. An example of the form is in the picture below - the callout on the right shows the id for each row.
I know how to generate the form like this, but I can't work out how I can easily process each of these rows reliably. I also know how to give each of the fields a unique identifier, like name="order-23" or name="order[23]", but how can I translate that name so that I can update the related record in the database?
EDIT: One solution I can think of would be to iterate through every form field in the FormCollection, and if the name of the field matches the pattern, then I will extract the number from that field-name and process it.
However, I feel that there must be a much easier way to go about it - this method would likely involve a fair bit of string processing on each field, and there would possibly fall over if I have to add extra fields for each row later on.
Don't you have a list of IDs after postback? I believe you should not depend on what IDs are actually sent from the form, as anybody could change the IDs on the form to whatever they want, so it's a security issue. So you should after postback have a list of IDs you want to update (the same list you used to create the form with). In that case, you know exactly what id string you should use to retrieve the value from FormCollection.
In case you really can't get the list of IDs you are going to update, just use the FormCollection iteration as you suggested in your comment. The string processing is not that expensive in comparation with all other stuff being done at request processing.
If you have the names, then simply read the values by using Request.Form["order-23"] or re-create the controls in page pre-init and you'll have access to the values in your save event directly through the created controls.
I've done this loads in my CMS.
Essentially i sort of cheated.
The idea is something like this ....
render the form to the client, then look at the source code gneerated.
You should see that it generated a form tag with an action attribute.
When you click the submit button the form will be sent to that url so in the case of an order submission you would post the page back to OrderPage.aspx?OrderId=xxxx
then on the server you would build an update statement for your db that contained something like ...
"Update orders where order id =" + request.querystring["OrderId"]
So how do you update the action ...
In the calling page lets say you have a link called "New Order", when that link is clicked you need to do 2 things ...
redirect to this page.
generate an order id for this new order.
ok the first is simple, simply link it to this page.
the second ...
if this page is not a postback if(!IsPostback) { /* get a new id */ } depending on your order id's this may involve generating a new guid or doing something like getting the next number in a list by doing a select max(id) from a db.
once you have this new id you should still be in the page_load event.
this.form.Action = this.form.Action + "?OrderId=" + yourNewOrderId;
... tada ...
Send page back to the client.
view the source.

Asp.Net Sql Auto-Increment for Wall Post

I have a table that contains three columns.
"UserId" type-nvarchar
"PostAuthorId" type-nvarchar
"Post" type-text
This table will contain "wall" posts like in facebook for each user's page. I am going to use a gridview on each user's page to display the posts. The issue is I want to display them with the latest(most current) post being first and the earliest post being last.
I have never used autoincrement before and I am not sure if that is the answer. If it is, I do not know how to use it. I thought about adding a date posted column and then ordering by date.
If I end up using the date column, I could also display the date on the post. Is there a way to convert the date to a readable format?
What is the best way of implementing this type of ordering?
If you use AutoIcrement the first record will start with 1 and each record will increment from there. (default setting)
If you want to sort them by newest first do an ORDER BY ID DESC
I would suggest making a column called wallPostID then setting that to AutoIncrement and also your Primary Key
Date Formating:
If you are displaying this data in a gridView
Go to Edit Columns on your grid view
CLick on the Date field under "Selected Fields" on the bottom left
Under "BoundField properties" on the right Go to Data -> DataFormatString
{0:d} will display as 1/1/2010
This site has more info in string formatting
http://msdn.microsoft.com/en-us/library/fht0f5be.aspx
A datetime column would definitely work for something like this. Assuming you are using MS-SQL, you can also attach a default value to the column using a built-in function like GETDATE(). That way, you only have to input the data that matters and the database will take care of adding the datetime column.
For converting a datetime to a readable format try:
DateTime postDate;
string value = postDate.ToShortDateString();
You should always use an ID field that auto increments. Can also be used as your PK
I would suggest the DateTime field rather than the autoincrement simply because it will not only serve as an effective Sort field, it also preserves information that you may well want to display. If you want the most recent first you'll sort using the Date and a "DESC" modifier:
Select ... Order By [Date] DESC;
When you retrieve the data, you can retrieve it as a DateTime and modify it using C#. You can use "ToShortDateString()" as suggested by mdresser if you just wish to show the date or ToString("...") if you wish to show the time as well. You can also use SQL to convert it into a string before retrieving it:
convert(Varchar(10), #mydatetime, 101)
If you look in MSDN you'll see the various conversion codes (101 is the code used above) that can be used to translate the date in various ways.
UPDATE: You may want to use an autoincrementing field for your application for reasons other than your expressed need to sort wall entries. They are easy to use - just mark the field as an Identity if using SQL Server (other DBs are similar). As far as using them in your program, just think of the field as an Int field that you never have to set.
Now, why would you use a auto-incrementing field? Perhaps the most straightforward reason is so that they give you have an easy way to identify each record. For example, if you permit people to alter or delete their wall entries, the auto-incrementing field is ideal as it gives you a way to easily look up each record (each record will be assigned its own, unique value). You might put an "x" next to the record like StackOverflow does and make it a call back with the UID (auto-increment) value. Note that you should set up your primary key on the UID field if you'll be doing this.
Now, if you find them useful for this reason then you could also sort by the UID. I would still store the date so that you can provide Date and Time feedback as to when an entry was made on the wall but this would no longer be your indexed or sorted field.

Resources