-1

Let's assume I have an <input> tag. Value of this tag is used on change. The problem is that if a user inputs single or double quotation marks - it breaks the code. Right now this is solved quite simple:

  1. Override keypress for these keys;
  2. Forbid paste to input.

Here is the sample Code:

HTML

<input id="TestInput"></input>

Javascript

$("#TestInput").keypress(function (e) { // override keypress of " or '
    if (e.which == 13 || e.which == 34 || e.which == 39) {
        return false;
    }
})

.bind("paste", function (e) {// forbid paste
    e.preventDefault();
})

.change(function(){
 var value = $(this).val();
    //and then I use this value for my operations
});

Sample Fiddle

The question: is there a better way to get rid of all quotation marks without forbiding paste?

Note: I assume it can be solved with RegExp, but I'm no good with them, so if you can provide a Regexp - this could work.

Thanks everyone in Advance.

Update-1

On change an ajax call is performed to a method which call the DB and quotes break the query somehow like this: query:

var query = "SELECT Column FROM table WHERE somecolumn LIKE '" + inputVal+ "'%";

if inputVal is something like "foo the resulting sting will look like:

var query = "SELECT Column FROM table WHERE somecolumn LIKE '" + "foo+ "'%";

which obviously breaks the query. + there are no items in the Database which contain quotes.

Max Novich
  • 1,169
  • 9
  • 20
  • 4
    Don't prevent the user inputting anything - that's bad for UX. Just make sure your code can handle the quotes. Either escape them, or replace them. – Rory McCrossan Nov 26 '13 at 07:59
  • 4
    More important question is why are quotes breaking your code? – Abhitalks Nov 26 '13 at 07:59
  • @Rory McCrossan this is exactly what I ask about. I understand it's a bad practice, but I couldn't implement a better way. – Max Novich Nov 26 '13 at 08:01
  • @MaksymStepanenko in that case we need to see the code which is breaking due to the quotes to show you how to fix that. – Rory McCrossan Nov 26 '13 at 08:01
  • I'll update the question. – Max Novich Nov 26 '13 at 08:02
  • 3
    Use SQLParams instead of directly taking **unsanitised** user input – jasonscript Nov 26 '13 at 08:15
  • @jasonscript can you provide a documantation link? Thank you in advance. – Max Novich Nov 26 '13 at 08:16
  • I think in general it's not good practice to make db calls from the client. You're giving the user too much information. You should have a server-side component that handles your data layer – jasonscript Nov 26 '13 at 08:17
  • @jasonscript I noted that the call is not direct. Ajax calls server side method, which calls the WCF service which call the DB. But it has nothing to do with my question. – Max Novich Nov 26 '13 at 08:19
  • 1
    It does have some bearing because depending on what language you've used for your server-side methods, your syntax is going to change. Here's the **[MSDN article for SQL params in C#](http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter(v=vs.110).aspx)** – jasonscript Nov 26 '13 at 08:20
  • 1
    You should still be santising user input first. Using SQL Params is a good step in the right direction though – jasonscript Nov 26 '13 at 08:22

1 Answers1

5

Only handle the data in the textbox:

$("#TestInput").on('input', function () {
    var value = $(this).val().replace(/'/g, '').replace(/"/g, '');
    // go on with processing data
});
Rudy
  • 2,323
  • 1
  • 21
  • 23
  • Thank you @Rudy, this is exactly what I've asked for. – Max Novich Nov 26 '13 at 08:23
  • Sweet, disable JS and validation dissapears. Not such a good plan, eh? – webnoob Nov 26 '13 at 11:05
  • @webnoob this can be done on server side too, no big deal. Anyway, if disabling js breaks the whole thing, there are more problems than this answer here can handle. – Rudy Nov 26 '13 at 11:13
  • @Rudy - Then that should be mentioned to the user. Looking at the OP, he thinks this is the final solution to his issue but it's far from it. This is the reason ALL the comments point to the data needing to be sanitised rather than replacing text on the front end. – webnoob Nov 26 '13 at 12:20
  • @webnoob what you say is not what the OP asked. We could argue about this if you want, but I think the chat is better for that :) – Rudy Nov 26 '13 at 13:17