Type mismatch: HTMLEncode

**Rebelle** · Rebelle, March 25th, 2008 11:47 AM

All,

I recently added code in red and thought all was fine but I seem to be getting the error below with some recordsets.

Error:
Microsoft VBScript runtime error '800a000d'

Type mismatch: 'HTMLEncode'

Code:

<TD bgcolor="yellow">
	<%'Check to see if they are alowed to Edit plan and commit fields
		If cint(Session("AccessLevel")) >= 4 then 
			%><INPUT CLASS="clrBg" type="text" name="Comments<%=response.write(i)%>" size="75" maxlength="150" value="<%= Server.HTMLEncode(rs("RolloutComments"))%>"</TD><%
		Else
			%><INPUT CLASS="clrBg" type="text" name="Comments<%=response.write(i)%>" size="75" maxlength="150" readonly value="<%= Server.HTMLEncode(rs("RolloutComments"))%>"</TD>	<%
		End if
	%>
	</TD>

I added the new code to take care of any apostrophes, characters, etc.

**jmurrayhead** · jmurrayhead, March 25th, 2008 11:49 AM

This error is probably occurring due to NULL values. However, why use Server.HtmlEncode for displaying in an input box that a user would edit? You'll get funky looking characters then. I only use this when outputting data from the database to be displayed on the page.

**Rebelle** · Rebelle, March 25th, 2008 12:04 PM

Oh. I think I was trying it to see if it would take of the users entering apostrophes and getting an error and not updating. I can take it out but then apostrophes will have an issue.

**jmurrayhead** · jmurrayhead, March 25th, 2008 12:11 PM

Originally Posted by Rebelle

Oh. I think I was trying it to see if it would take of the users entering apostrophes and getting an error and not updating. I can take it out but then apostrophes will have an issue.

HTMLEncode is for total different purpose. When you submit data to the database, it's easiest to look into using Parameterized queries. Then you don't have to worry as much about sanitizing input. However, you can use such function to sanitize the single quotes:

Code:

Function ValidateStr(strValue)
	strTemp = strValue
	strTemp = Trim(strTemp)
	strTemp = Replace(strTemp,"'","''")
	ValidateStr = strTemp
End Function

Call this function using the data that is being input and then you won't have to worry about the single quotes issue.

**richyrich** · richyrich, March 25th, 2008 12:12 PM

If you're talking about using textbox values in db queries, then use parameteri(s/z?)ed queries.

In Mysql it would look something like:-

Code:

 
sql = "INSERT INTO tbl_name(col1,col2,col3) VALUES(?value1,?value2,?value3)"
mycommand.parameters.addwithvalue("value1",request.form("textbox1"))
mycommand.parameters.addwithvalue("value2",request.form("textbox2"))
mycommand.parameters.addwithvalue("value3",request.form("textbox3"))

Where mycommand is an instance of a DB Command object.

I know the syntax for parameters is slightly different if using MSSQL and I guess Access aswell.

But you should try this to prevent problems with apostrophes and to help stop SQL injection attacks.

Hope that helps.

**Rebelle** · Rebelle, March 25th, 2008 03:04 PM

hmmm....i'm trying to remember all I changed but here is what I have on the updatefinish.asp page for the comments field.

Code:

sComments = replace(Request.Form("Comments" & nCounter),"'","''")

then

Code:

sSql = "update tblRollout set DistrictID = " & sDistrict & ", ToolID = " & sTool & ", RolloutShipped = " & sPMS & ",NewRequest = " & sNRS & ", NewCommit = " & sNCS & ", NewShip = " & sNSS & ", RolloutComments = '" & sComments & "' "
sSql = sSql & " WHERE ToolID=" & sTool & " and DistrictID=" & sDistrict & " "

I think without the HTMLEncode code in red in first post it would not allow the user to use single or double quotes but I'll take out the code in red and retry.

**jmurrayhead** · jmurrayhead, March 25th, 2008 03:11 PM

Use the function I posted above like this:

Code:

sSql = "update tblRollout set DistrictID = " & ValidateStr(sDistrict) & ", ToolID = " & ValidateStr(sTool) & ", RolloutShipped = " & ValidateStr(sPMS) & ",NewRequest = " & ValidateStr(sNRS) & ", NewCommit = " & ValidateStr(sNCS) & ", NewShip = " & ValidateStr(sNSS) & ", RolloutComments = '" & ValidateStr(sComments) & "' "
sSql = sSql & " WHERE ToolID=" & ValidateStr(sTool) & " and DistrictID=" & sDistrict & " "

I'm not sure which of those fields above are String or numeric, but you get the idea.

**Rebelle** · Rebelle, March 27th, 2008 02:29 PM

Sorry so slow on this....just been having a hard time with other stuff....I'm going to use what you provided but one question, will this also take care of double quotes? I'm trying to remember why I added the HTMLEncode....and I think it was suppose to cover double quotes but not for sure.

Thanks again! I need a huggy smilie!!!

**jmurrayhead** · jmurrayhead, March 27th, 2008 02:32 PM

Originally Posted by Rebelle

Sorry so slow on this....just been having a hard time with other stuff....I'm going to use what you provided but one question, will this also take care of double quotes? I'm trying to remember why I added the HTMLEncode....and I think it was suppose to cover double quotes but not for sure.

Thanks again! I need a huggy smilie!!!

There won't be any problems when using double quotes. Just single quotes

**Rebelle** · Rebelle, March 27th, 2008 03:40 PM

Ok, I can add single and double quotes with no problems.

After I add something like -

This' is a test for 8" tools

I can add and view it on my results screen and it shows the whole comment but when I go to my edit view, it shows -

This' is a test for 8

It doesn't cause any errors but won't show anything after the double quotes while in edit view. Do you need to see the code on my edit screen (comment field)? Or tell me what I can look/check for?

Thanks!

Thread: Type mismatch: HTMLEncode

LinkBack

Thread Tools

Display

Type mismatch: HTMLEncode

Similar Threads

Data Type Mismatch in Criteria Expression

Bookmarks

Bookmarks

Posting Permissions