1

I'm trying to ensure that all characters which are not numeric, or alphabetic are converted to HTML code when submitted to my database.

With a bit of Googling, I have come up with this:

Public Shared Function HTMLEncodeSpecialChars(text As String) As String
    Dim sb As New System.Text.StringBuilder()

    Dim i As Integer
    Dim charArray() As Char = text.ToCharArray()
    ' display contents of charArray
    For i = 0 To charArray.Length - 1
        sb.Append((String.Format("&#{0};", Asc(charArray(i)))) & ",")
    Next
    Return sb.ToString()
End Function

This successfully converts anything to HTML, but now I need to put some condition in there so it only does it where I need it to. ie; on any character which will either screw up my database entry, or screw up formatting when returned back to the screen as HTML (this database content is for product data for a website).

So for simplicity, I guess I want to convert only charcters which are not A-Z alphabetic or 1-0 numeric.

I could use isNumeric, but not sure how to detect alphabetic characters.

I've been Googling and found something which looked like it would work, but the logic/filtering was wrong.

So I figured I'd ask here :D

Jamie Hartnoll
  • 7,231
  • 13
  • 58
  • 97

1 Answers1

1

You haven't said why existing tools don't work for you, so you might not know about this:

HtmlEncode method in the System.Web namespace:

HTML encoding makes sure that text is displayed correctly in the browser and not interpreted by the browser as HTML.

Edward
  • 3,292
  • 1
  • 27
  • 38
  • Thanks, you're right I was not aware of that. The docs indicate that it's exactly what I need... trouble is, it doesn't seem to work! I'm trying to convert a string of HTML submitted by a form so that it can be inserted into my database. It's causing an error on apostrophes at the moment, should HtmlEncode convert apostrophes? EDIT; using .NET 2.0 if that make a difference – Jamie Hartnoll Jan 13 '12 at 09:21
  • Additional; I've just had it output the result as text so I can see exactly what's happening. It does seem to be working, but still upsetting the submission to the database. A snippet of output is: `<table style="font-family: \u0027Times New Roman\u0027; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; ...` When I try to send this to my database using MySQL UPDATE, I get `there's an error in your SQL near \u0027Times` – Jamie Hartnoll Jan 13 '12 at 09:43
  • Ahh, a bit more Googling, gave me this http://www.velocityreviews.com/forums/t100026-htmlencode-with-apostrophes.html from which I have deduced that the apostrophe needs converting manually. Therefore `notes = HttpContext.Current.Server.HtmlEncode(Replace(notes, "'", "'"))` is working within my function :-) – Jamie Hartnoll Jan 13 '12 at 10:15
  • @JamieHartnoll Glad to help! I'm not sure how you're doing your DB interaction, but I think using [SqlParameters](http://msdn.microsoft.com/en-us/library/yy6y35y8%28v=VS.80%29.aspx) would take care of the sanitizing it for you before you put it in the db... though it's been a long time since I've been in .NET 2.0. More discussion [at this question](http://stackoverflow.com/questions/3479434/sanitizing-sql-data) – Edward Jan 13 '12 at 14:47