We all know that collecting information from users can be potentially dangerous. Not because the user means to be malicious, but because you may not have a procedure/function in place to handle single quotes or double quotes. This can cause issues when the data is passed to the database. In most cases a SQL Stored Procedure can handle “SQL Injection” with single quotes and double quotes. However with Dynamic Forms or Dynamic Registration tokens should be encapsulated inside of '$(Token)'. So if you’re passing a Token into a stored procedure call:
exec MyProcedure '$(Token)'
You can see how collecting a ' in a textbox and passing to a stored procedure or inserting directly into a database table can become an issue. For instance, let’s say that the value I provided for a textbox in Dynamic Forms was:
When using the $(FirstName) token from this form in a SQL Completion Event the value would render as:
'John O'Neal'
You can see how handling this on the client side instead of Server side can be beneficial within Dynamic Forms or Dynamic Registration.
Add this JavaScript function to your Dynamic Form or Dynamic Registration Custom JavaScript file:
-------------------------------------------------------------------------------------------------------------------------
function Replace_Single_Double_Quotes(DF_QuestionID)
{
//Assigning passed in parameter to variable
var QuestionValue = document.getElementById(DF_QuestionID).value;
//This field will assist us in knowing whether to replace " with a left or right double quote
var NeedRightQuote = 'False';
//Loop that checks each character in the QuestionValue variable
for ( var i = 0; i < QuestionValue.length; i++ )
{
//Is this character a '?
if(QuestionValue.charAt(i) == "'")
{
//Replace ' with an apostrophe
QuestionValue = QuestionValue.replace("'","’");
}
//Is this character a "?
if(QuestionValue.charAt(i) == '"')
{
//Do we need to replace " with a left double quote?
if(NeedRightQuote == 'False')
{
//Replace " with a left double quote
QuestionValue = QuestionValue.replace('"',"“");
//NeedRightQuote dictates whether to use a Left(opening) or Right(closing) double quote
NeedRightQuote = 'True';
}
//Do we need to replace " with a right double quote?
else
{
//Replace " with a right double quote
QuestionValue = QuestionValue.replace('"',"”");
//NeedRightQuote dictates whether to use a Left(opening) or Right(closing) double quote
NeedRightQuote = 'False';
}
}
}
document.getElementById(DF_QuestionID).value = QuestionValue;
}
-------------------------------------------------------------------------------------------------------------------------
You can easily call this function once included in your Dynamic Form or Dynamic Registration Custom JavaScript file. The function call will look like so:
Replace_Single_Double_Quotes($(TokenName_FieldID));
Be sure to include “_FieldID” in your token name when calling this function.
Let me know if you have any questions.