How to handle quote symbols

This is something i havent had to deal with before - might seem strange to you Americans, but I have to figure out how to handle a client who wants teh double quote symbol to represent inches.    He's a car parts retailer, and sells shock absorbers that are known to his market by inches not centimetres.     He doesnt want to represent a 12 inch shock as  <quote> 12in throw</quote>  he wants to use the double quote symbol. However the quote symbol is seen by the form as teh end of the field when he wants to update his database on line, so the form has to be given 12"   not 12".   I either have to make sure there are no double quote symbols in teh database, or put a replace() somewhere before the variable goes to the form html. Here's my question.    do you store 12" in the database, or 12" Does it matter? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month

>>Here's my question.    do you store 12" in the database, or 12" Does it matter? Use '12"' what's the problem?

G'day Claude, The problem is that the <input tag sees the double quote as the end of the field, so it terminates the value there,  when in fact the full description is something like 12" COIL OVER REM/RES     When the client calls up that product to be edited, the form shows the description as '12'  not '12" COIL OVER REM/RES' Even if he's not editing the description, when he clicks submit, the description is changed to '12' Isaac's remedy makes sense and that's what I'll use i think. I'm sorry if this seems like a very elementary problem, but its the first time I've had to deal with last century measurements - we converted to metric several decades ago. Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month ----- Excess quoted text cut - see Original Post for more -----

> I'm sorry if this seems like a very elementary problem, but its the > first time I've had to deal with last century measurements - we > converted to metric several decades ago. Doood... this really has nothing to do with measurements and everything to do with escaping text based on its output medium.  You should be wrapping ALL output variables in HTMLEditFormat when outputting something in HTML that can contain arbitrary characters.  This is the kind of stuff XSS is made of.  Imagine a well placed value that went something like this: "> <script>alert('I have complete control of this webpage');</script> ~Brad

> I'm sorry if this seems like a very elementary problem, but its the > first time I've had to deal with last century measurements - we > converted to metric several decades ago. Yeah, it's common in the states because our gov't just isn't interested in spending the time & money to convert everything. But Brad's right that you should really be using htmleditformat() for all your forms anyway because that is the way XSS attacks are formed. It's the same sort of deal as cfqueryparam and the recent sql-injection outbeak. -- s. isaac dealey  ^  new epoch isn't it time for a change?      ph: 781.769.0723 http://onTap.riaforge.org/blog

> This is something i havent had to deal with before - might seem ----- Excess quoted text cut - see Original Post for more ----- Sounds pretty normal on my end. > However the quote symbol is seen by the form as teh end of the field > when he wants to update his database on line, so the form has to be > given 12"   not 12".   I either have to make sure there are no > double quote symbols in teh database, or put a replace() somewhere > before the variable goes to the form html. Right, you want <input name="yadda" value="#htmleditformat(thevalue)#" /> > Here's my question.    do you store 12" in the database, or 12" >  Does it matter? I would recommend not storing anyting with entities like " in the database, because there's no guarantee the data will always be used for HTML. Maybe it will, maybe it won't. Maybe it'll go out in an email. Maybe it'll go into a PDF. Maybe it'll go into an Excel spreadsheet. Maybe it'll get sent to someone via a webservice. It's usually impossible to know in advance really what formats it might potentially be used in, so generally speaking I recommend storing the value with no formatting and then applying the formatting when outputing or sending to wherever you want it. hth, ike -- s. isaac dealey  ^  new epoch isn't it time for a change?      ph: 781.769.0723 http://onTap.riaforge.org/blog

Also, don't store 12", or 12" or 12in in the DB, store 12 and along side it, in another column, an identifier for inches. It'll make life easier when you need to query the info. Adrian Building a database of errors at http://cferror.org/ ----- Excess quoted text cut - see Original Post for more ----- Sounds pretty normal on my end. > However the quote symbol is seen by the form as teh end of the field > when he wants to update his database on line, so the form has to be > given 12"   not 12".   I either have to make sure there are no > double quote symbols in teh database, or put a replace() somewhere > before the variable goes to the form html. Right, you want <input name="yadda" value="#htmleditformat(thevalue)#" /> > Here's my question.    do you store 12" in the database, or 12" >  Does it matter? I would recommend not storing anyting with entities like " in the database, because there's no guarantee the data will always be used for HTML. Maybe it will, maybe it won't. Maybe it'll go out in an email. Maybe it'll go into a PDF. Maybe it'll go into an Excel spreadsheet. Maybe it'll get sent to someone via a webservice. It's usually impossible to know in advance really what formats it might potentially be used in, so generally speaking I recommend storing the value with no formatting and then applying the formatting when outputing or sending to wherever you want it. hth, ike -- s. isaac dealey  ^  new epoch isn't it time for a change?      ph: 781.769.0723 http://onTap.riaforge.org/blog

Having a units column is always a great idea since it also helps for doing conversions at a later date, if the need ever arises as well as helping with searches such as to see all shock absorbers between 12 and 16 inches long. With that said though it is not always a feasible option.  Since in some cases, sounds like maybe not this, you are typing in a description and within that the units might be presented. On Sun, Oct 12, 2008 at 11:06 AM, Adrian Lynch <contact@adrianlynch.co.uk>wrote: ----- Excess quoted text cut - see Original Post for more -----