...

View Full Version : How to escape ampersand sign with C# asp.net



chelvis
11-21-2006, 05:25 PM
I am creating a page with some menus. The value for the menu comes from the database. If there is an ampersand sign (&) in a word, then the letters after the (&) sign is cut off.

For example if the word is say 's&w value fields' then its only displaying the letter 's' and the rest is cut off. I have to escape the & sign but how do I do it since its coming from the database (dynamic) and I dont know which one of them have the & sign. I have to display the words as it is from the database. How do I do this?

Below is my partial code: I have a tablecontrol created and then wrote this code:


string sMName = Request.QueryString["sMName"];
if (Request.QueryString["sMName"] != null)
{
TableCell ModelNameCell = new TableCell();
HyperLink hlModelName = new HyperLink();
hlModelName.NavigateUrl = "../products/.aspx?cid=" + iCID + "&sMName=" + sMName;
hlModelName.Text = sMName;

ModelNameCell.Controls.Add(hlModelName);
BreadCrumbRow.Controls.Add(ModelNameCell);
tblBreadCrumb.Controls.Add(BreadCrumbRow);
}

nikkiH
11-21-2006, 09:10 PM
Depends on what field that ampersand is in.
If it ends up in the hyperlink, it's invalid html anyway.
The thing that puts it into the DB to begin with should be html encoding values that are meant to be used as html output. (script injection attack classic)

Cheap way:
stringVariable.Replace ("&"," ")

Slightly better:
HttpServerUtility.HtmlEncode(stringVariable)

Best: the app should do it before you ever hit this problem.

chelvis
12-05-2006, 03:42 PM
nikkiH, I didnt understand what you mentioned. I am new to SQL Server 2000.

I just checked the table and it has a column name CategoryName. In this column the data was entered with '&' sign. For example there is a category name called 's&w value'. This is what giving me the problem in my C# code. When I call it, its not understanding anything after & sign.

Can you help me what I should do in the database?

PS: Whoever entered it in the database, directly entered them into the database. Not through any html or other things.

nikkiH
12-05-2006, 03:55 PM
nikkiH, I didnt understand what you mentioned. I am new to SQL Server 2000.
PS: Whoever entered it in the database, directly entered them into the database. Not through any html or other things.

Ah, well, you're stuck dealing with it then. :D
Can't make them encode the html as they type it, I suppose.
Your next project should be to make a form so they can't enter bad data. ;)

Normally values get into a database because someone made a form and users are entering things in say, a textarea. When you do it that way, you need to encode the values before they ever get into the database in the first place and then you don't have this problem.

Anyway, since you're stuck and you can't count on data that is valid html, your best bet is probably to just encode it. What that does is it changes values that are not valid html, such as < > & and whatnot into &lt; &gt; and &amp; so that when you display the text, it renders.

Use this one:
HttpServerUtility.HtmlEncode(stringVariable)

See
http://msdn2.microsoft.com/en-us/library/system.web.httpserverutility.htmlencode.aspx
"Encodes a string to be displayed in a browser."



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum