Robi

> >    Now this is pretty urgent ! I have to asp pages - one a form which gets
> > submitted itself to reflect the new data & another a printer friendly
> > version of the same. The backend is MSSQL. In the form itself, there is no
> > problem in data display even if double quotes are encountered, but the
> same
> > doesn't work in the printer friendly version. The text gets truncated
> > immediately after the double quotes. The values are gathered thru the
> > "request" object. I have even used the asp "replace" function, but still
> no
> 
> What did you replace? You need to escape single quotes for SQL and double
> quotes for ASP. Have you done this?
> 
> > use. The printer friendly one opens up in a separate window.
> 
> Can you post some code, please?

The reason this is happening is that you are not escaping the double quotes. Thus, you bring back the following string from the database:

Nigel "Dark Destroyer" Benn

Inserted into the HTML field, it looks like this:

<input type="text" value="Nigel "Dark Destroyer" Benn" name="test" />

You are effectively closing the double quotes for the value attribute, thus the value is seen as being "Nigel ". In your SQL, replace " with &quot;. I notice you're replacing &quot; with "" in your ASP. This is the wrong way round, as the character entity is what you want. You don't want to output "", as this would be viewable as "". You seem to be getting a little confused as to which layer you're working on. Try and seperate the data, application and presentation layers; at least in your own mind.

On another note, your code is vulnerable to a cross site scripting attack as it stands. Always specify Request.Form() if you're bringing back a value from a posted form - don't use the shorthand version Request().

HTH

Regards

Chris Marsh