Replace charactures

[Bamarama]

hey gang.

I am having a problem with something. I run an online tournament site.
With hosting for clans, more so then not, the clan tags contain charactures
like + { [ in front of the tag letters.
what I am having a problem with is if it starts with a +, it isn't picking
up the name correctly. If in a sql statement, it looks for a tag that starts
with a +, it won't find it. And sometimes, when it is supposed to move the
tag over in a bracket, it moves it without the +.

for example, +EcK+ is the tag, it will either not find it, or move it over
as EcK without the +'s.

is there any way around this?
i know for some strings, such as things with ' you can use

replace (request.form("var"), "'", "''")

but not sure about these other charactures.
any help out there??
it would be most appreciated

 

[Sheco]

I am not entirely clear on the problem but my guess is that some of the character data is being interpretted as belonging to the SQL statement instead of being part of the input data.


Suppose you have this:[tt]
sName = "Bob"
sSQL = "SELECT * FROM Clans WHERE ClanName Like '" & sName & "%'"
Set myRS = cn.Execute(strSQL)[/tt]

The wildcard 'Bob%' will return stuff like:
Bob
Boba Fett
Bob Smith
Bobby
... etc... anything that starts with B-o-b



Now suppose you have this:[tt]
sName = "Bob[abc]"
sSQL = "SELECT * FROM Clans WHERE ClanName Like '" & sName & "%'"
Set myRS = cn.Execute(strSQL)[/tt]


The wildcard 'Bob[abc]%' will only return stuff like:
Boba Fett
Bobby
... etc... Anything that begins with B-o-b-a, B-o-b-b, or B-o-b-c

 

[Sheco]

The solution is to put the entire thing in quotes after you do the Replace to "escape" any of the interior quote marks.

See here split into two steps for illustration purposes:
[tt]
'Test a value with an internal quote character:
sName = "Boba Fett's Bounty Hunter License"

'Double up the quote to "escape" the character
sName = Replace(sName, "'", "''")

'Put the whole thing inside quotes
sName = "'" & sName & "'"
[/tt]

 

[Bamarama]

ok, i know without seeing some code, this may be difficult to understand what i am doing.

we will let ctag be the clan tag (+EcK+, -=CSI=-) things like that. because with online gaming clans, the tag can be whatever.

so when i click on a tag in the bracket. the brackets are below. this isn't the page that they can be clicked on, but just to show them.

http://tournamentsbyeck.com/tourney/bracketsdb.asp?id=1

now in game 1 +EcK+Bam got a bye. that moved over correctly like it should. now when a name is moved over, to create the bottom bracket in game 9, it looks ok. but in game 9, if +EcK+Bam wins or loses, it is moved as just EcK Bam as you can see.
game 12, same thing +EcK+ moved over as EcK. but if you look at the bottom, the loser of game 12 (+EcK+Phanatic11) moved down to game 23 with the +'s. so i am confused, as to why it sometimes sees and moves with the +'s, and sometimes does not.
so here is the code that moves the names.

<%

var1 = request.querystring("game")
var2 = request.querystring("clan")
tid = request.querystring("id")

if var1 = 15 then

set game1 = conn.execute("select username from bracketdb_"&tid&" where game = " & var1 & " and username <> '" & var2 & "'")
if game1.eof then
var_loser = "BYE"
else

var_loser = trim(game1.fields.item("username").value)
end if
var3 = 60

strSQL = "update bracketdb_"&tid&" set username = '" & var2 & "' where pos = 60"
conn.execute (strSQL)


strSQL = "update bracketdb_"&tid&" set reported = 'yes' where game = " & var1 & ""
conn.execute (strSQL)

var4 = var1 + 30

strSQL = "update bracketdb_"&tid&" set username = '" & var_loser & "' where pos = " & var4 & ""
conn.execute (strSQL)

else

set game1 = conn.execute("select username from bracketdb_"&tid&" where game = " & var1 & " and username <> '" & var2 & "'")
if game1.eof then
var_loser = "BYE"
else

var_loser = trim(game1.fields.item("username").value)
end if
var3 = var1 + 16

strSQL = "update bracketdb_"&tid&" set username = '" & var2 & "' where pos = " & var3 & ""
conn.execute (strSQL)

'strSQL = "insert into matches (winner, loser, irnd) values ('" & var2 & "', '" & var_loser & "', " & irnd & ")"
'conn.execute (strSQL)

strSQL = "update bracketdb_"&tid&" set reported = 'yes' where game = " & var1 & ""
conn.execute (strSQL)

var4 = var1 + 30

strSQL = "update bracketdb_"&tid&" set username = '" & var_loser & "' where pos = " & var4 & ""
conn.execute (strSQL)

end if



response.redirect "bracket_report_admin22asp.asp?id="&tid&"&clan="&var_loser&"&pos="&var4&""

%>

 

[Bamarama]

ok, so what do i replace with??

with a ' i can replace with ''
but with a +, do i replace with ++?

so i replace a ' with '' i got that and use that.
but what do i replace a + with???

 

[Bamarama]

ooops, that didn't come out right.

'Double up the quote to "escape" the character
sName = Replace(sName, "'", "''")

'Put the whole thing inside quotes
sName = "'" & sName & "'"

so i replace a ' with '' i got that and use that.
but what do i replace a + with???

that is the reply i meant

 

[Bamarama]

the problem lies in the querystring i believe.

because the name isn't getting passed correctly or something.

here is the link with the variables (going to a test page just to show)

http://tournamentsbyeck.com/tourney/bracket_report_adminasptest.asp?id=1&game=9&clan=+EcK+Bam

as you can see, the clan variable says +EcK+Bam
but once you get to the page, it shows EcK Bam

now all that is on this page is

var2 = request.querystring("clan")

response.write var2

 

[Tarwn]

Is it possible your using the value in a Querystring somewheer and not properly escaping it? if thats the case you might be running into an issue where the +'s are being interpreted as spaces by the web server before you even get them back out of Request.QueryString (and then insert them in your SQL statement that way)

 

[Bamarama]

ahhaaa

that sounds like the problem. so how do we fix this??

 

[Sheco]

Server.URLEncode

 

[Bamarama]

wonderful... thx for the help