Encoding string for apostrophe in asp.net

I am having a problem trying to resolve an apostrophe related issue.

I have searched SO, but could not find anything that would help me.

My clientside javascript code is:

var strUserText = uSettings.replace(/'/g, "'")  

after the above line is executed, the form does a submit

document.form1.submit();  

in code behind, a class retreives those values:

sUserSettings = request.form("strUserSettings ")  

the result is a semi-truncated string.

Given the above code process flow, how can I save "John O'Brady's ASP Blog" in to a database?

I开发者_如何学运维 thought I was saving "John O'Brady's ASP Blog" but that isn't working.

Your question is quite vague. Why are you encoding the apostrophe? Is it breaking your output?

The best way to do it would be to submit your data AS-IS to the database... crappy JavaScript injection, apostrophe's, html markup, and all. Then you simply encode the output.

Server.HtmlEncode(strUserText)

Also, if you're using the latest version .NET, you can encode the output as follows

<%: strUserText %>

(assuming the strUserText string variable is set earlier in your view)

Under no circumstances should you ever take data input "as is" and insert it in a database; serious no-no. As regards the apostrophe - you can take a look at this solution:

calling stored procedure with apostrophe in argument doesn't work

Your question is vague but the above link should clue you into the fact that the solution lies in the way the SQL query is formulated. Above all else, you need to implement proper data validation/filtering of the input and encode it BEFORE inserting it in the database.

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

don't do this:

var strUserText = uSettings.replace(/'/g, "'")

the reason is that HTML uses the "&" character to delimit query strings and form fields.

I suggest you POST your data AS IS, and handle the replace SERVER SIDE.

sUserSettings = request.form("strUserSettings ").Replace("'", "whatever")

Instead of Javascript function,when trying to save John O'Brady's ASP Blog into the database use:

Server.HTMLEncode("John O'Brady's ASP Blog")

result of above will be John O'Brady's ASP Blog

And when retrieving from the database and want to display it use

Server.HtmlDecode(NameField) where NameField is the name of the column in the table.

this will result in John O'Brady's ASP Blog