CODEWITHSUNDEEP
javascriptasp-classic
garaber
garaber

Reputation: 232

asp call to java script removes brackets

I am new to asp and vbscript and attempting to pass a database critera list to javascript. The criteria will be used in sql statements in clause, if that is what it is called. The problem is the parethesis are removed!

The criterias for the in clause look like

The javascipt take to parameters for row and column and searches a database and returns a list of table entries dependent on those conditions or set of conditions.

I've been working with the following:

Response.Write "<td WIDTH='6%'  VALIGN='TOP' ALIGN='CENTER' bgcolor = " & ObjDic(elem).clrPreExisting & ">" & vbCRLF
Response.Write "<a href = ""javascript:alert("objDic(elem).critRow")""><font size='2' face='Arial' color='#000000'>" & ObjDic(elem).Get_PreExistingVal(RunningTotal.PreExisting) & "</font></a>" &vbCRLF
Response.Write "</td>" & vbCRLF

the value of objDic(elem).critRow from the immediate window shows

objDic(elem).critRow "('Not Defined')" But thie Java alert shows Not Defined.

Upvotes: 0

Views: 50

Answers (2)

user1945782
user1945782

Reputation:

There seems to be a couple of issues with the code. Firstly, you can avoid using the Response.Writes in most cases by using inline field values with the <%= %> tags. They are a shorthand form of Response.Write, writing the contents of a variable, property or function to the point where they occur. In your case, you could substitute:

Response.Write "<td WIDTH='6%'  VALIGN='TOP' ALIGN='CENTER' bgcolor = " & ObjDic(elem).clrPreExisting & ">" & vbCRLF
Response.Write "<a href = ""javascript:alert("objDic(elem).critRow")""><font size='2' face='Arial' color='#000000'>" & ObjDic(elem).Get_PreExistingVal(RunningTotal.PreExisting) & "</font></a>" &vbCRLF
Response.Write "</td>" & vbCRLF

...with...

<td WIDTH='6%'  VALIGN='TOP' ALIGN='CENTER' bgcolor = '<%= ObjDic(elem).clrPreExisting %>'>
    <a href = "javascript:alert('<%= objDic(elem).critRow %>')"><font size='2' face='Arial' color='#000000'>
        <%= ObjDic(elem).Get_PreExistingVal(RunningTotal.PreExisting) %>
    </font></a>
</td>

Please, please take out all of the inline formatting and replace it with styling classes...

<style>
    .cellClass {width: 6%; text-align: center; vertical-align: top;}
    .cellClass a {font-size: 2; font-family: arial; color: black;}
</style>
...
...
<td class="cellClass" bgcolor = "<%= ObjDic(elem).clrPreExisting %>">
    <a href = "javascript:alert('<%= objDic(elem).critRow %>')">
        <%= ObjDic(elem).Get_PreExistingVal(RunningTotal.PreExisting) %>
    </a>
</td>

I would also recommend sticking to one form of quotation marks. You use several different ones to identify your attributes, including ", ', "" and even none. When I apply values to attributes I always use double speech marks in Classic ASP.

JavaScript is slightly different, though I still use double speech marks to specify the assignment to the attribute, speech marks within the JavaScript code are usually apostrophes ('):

<a href="javascript:alert('Use single speech marks in strings.');">Click me</a>

In VBScript strings you should escape speech marks by doubling them, so...

Response.Write("Paul said: ""Use double speech marks in strings"".")

Finally, your code is slightly wrong, if you want it to work as is. Try this instead:

Response.Write "<td WIDTH='6%'  VALIGN='TOP' ALIGN='CENTER' bgcolor = " & ObjDic(elem).clrPreExisting & ">" & vbCRLF
Response.Write "<a href = ""javascript:alert(" & objDic(elem).critRow & ")""><font size='2' face='Arial' color='#000000'>" & ObjDic(elem).Get_PreExistingVal(RunningTotal.PreExisting) & "</font></a>" &vbCRLF
Response.Write "</td>" & vbCRLF

Notice your JavaScript in the middle line - it's missing the concatenation characters (&) before and after the property value.

Upvotes: 1

Marius Dornean
Marius Dornean

Reputation: 131

Please be careful with this train of thought. What you may be doing is opening up a huge security hole called a SQL Injection attack. By allowing javascript to pass in unsanitized data to your queries, the user could gain full access to your database.

The better approach would be to create a data access layer, which takes in paramaters. It would then sanitize the parameters before creating an ad-hoc query or directing them to a SQL stored procedure.

Upvotes: 0

Related Questions