querystring datetime

[mcnewsxp]

where am i f'ing up with this onclick?


<input id='DownLoadReportButton' runat='server' type='button'
value='Download Report'

onclick='window.open("AssetPurchaseSummaryReport_Download.aspx?
BeginDate=" + document.getElementById("beginDateTextBox") +
"&EndDate=" + document.getElementById("endDateTextBox"));' />




thanks much,
mike

 

[Stanimir Stamenkov]

Tue, 7 Jun 2011 17:46:36 -0700 (PDT), /mcnewsxp/:

where am i f'ing up with this onclick?

Impossible to tell - you've given no information what's f'ing up,
really.

<input id='DownLoadReportButton' runat='server' type='button'
value='Download Report'

onclick='window.open("AssetPurchaseSummaryReport_Download.aspx?
BeginDate=" + document.getElementById("beginDateTextBox") +
"&EndDate=" + document.getElementById("endDateTextBox"));' />

You must encode/escape markup characters & < > in text content
appropriately:

&amp;
&lt;
&gt;

 

[Jukka K. Korpela]

You must encode/escape markup characters & < > in text content
appropriately:

&amp;
&lt;
&gt;

In _this_ context, the "&" character should be escaped, although this is
a matter of principle and validity rather than a practical issue (unless
the page is really served with an XHTML media type). Browsers will in
practice process the data in the intended way, since although they will
try to interpret &EndDate as an entity reference, that will (presently)
fail, so they take it literally.

But the reason is not that it is in "text content", and it's not even in
text content under normal definitions (but in an attribute value). The
reason is that it is HTML. If the window.open() invocation were in a
separate JavaScript file, used via <script src="..."></script>, it would
be unnecessary and incorrect (and would surely cause problems) to escape
the "&".

Similarly, in _HTML_, whether in element content or in a attribute
value, the "<" character should be escaped (when it is not meant to be
the first character of a tag).

There is never any other reason to escape ">" than for symmetry with
escaping "<". Oh... wait... well, you _can_ write
<p title=foo&gt;bar>xxx</p>
according to the HTML5 drafts and browser practice, and _here_ you can't
just use ">" instead of "&gt;", as
<p title=foo>bar>xxx</p>
would be taken so that the first ">" ends the tag. But even here,
escaping the ">" is not necessary, in the sense that you can use
quotation marks instead:
<p title="foo>bar">xxx</p>

 

[mcnewsxp]

this works:

onclick='window.open("WebForm1.aspx?BeginDate=" +
document.getElementById("beginDateTextBox").value + " &EndDate=" +
document.getElementById("endDateTextBox").value);'

 

[Denis McMahon]

where am i f'ing up with this onclick?

I think you're trying to write too much javascript inside the onclick
handler. As a result, you're not laying the code out in a structured
manner, which can make it hard to see problems. You could try the
following approach.

In your document head:

<script type="text/javascript">

// elId function defined to save typing
function elId(x) {return document.getElementById(x);}

// display the Asset Purchase Summary Report download page
function displayAPSR_D () {
var sDate, eDate, page, query;
sDate = elId("beginDateTextBox").value;
eDate = elId("endDateTextBox").value;
// do any validation of sDate and eDate here!
page = "AssetPurchaseSummaryReport_Download.aspx";
query = "?BeginDate=" + sDate + "&EndDate=" + eDate;
window.open(page + encodeURI(query));
}

</script>

In your document:

<input id='DownLoadReportButton' runat='server' type='button'
value='Download Report' onclick='displayAPSR_D();' />

I'm not familiar with the runat attribute, so I'm not going to comment
further.

Rgds

Denis McMahon

 

[mcnewsxp]

I think you're trying to write too much javascript inside the onclick
handler. As a result, you're not laying the code out in a structured
manner, which can make it hard to see problems. You could try the
following approach.

In your document head:

<script type="text/javascript">

    // elId function defined to save typing
    function elId(x) {return document.getElementById(x);}

    // display the Asset Purchase Summary Report download page
    function displayAPSR_D () {
        var sDate, eDate, page, query;
        sDate = elId("beginDateTextBox").value;
        eDate = elId("endDateTextBox").value;
        // do any validation of sDate and eDate here!
        page = "AssetPurchaseSummaryReport_Download.aspx";
        query = "?BeginDate=" + sDate + "&EndDate=" + eDate;
        window.open(page + encodeURI(query));
        }

</script>

In your document:

<input id='DownLoadReportButton' runat='server' type='button'
       value='Download Report' onclick='displayAPSR_D();' />

I'm not familiar with the runat attribute, so I'm not going to comment
further.

Rgds

Denis McMahon

i finally got the onclick to parse correctly, but had another report
to add that required begin and end dates that were defaulted to a
fixed start and the current date. so i had to do something like you
demonstrate.
thanks.

 

[mcnewsxp]

this works:

onclick='window.open("WebForm1.aspx?BeginDate=" +
document.getElementById("beginDateTextBox").value + " &EndDate=" +
document.getElementById("endDateTextBox").value);'

 

[Denis McMahon]

this works:

onclick='window.open("WebForm1.aspx?BeginDate=" +
document.getElementById("beginDateTextBox").value + " &EndDate=" +
document.getElementById("endDateTextBox").value);'

This works, presumably, as long as the contents of "beginDateTextBox" and
"endDateTextBox" match the correct format.

Supposing I enter 2011-04-05 instead of 5/4/2011, and are you expecting
american or european dates?

I think you ought to do a validation check for the dates *before*
generating the query from them, although you also need to re-validate the
get data server side before using it anyway.

At the very least, you could check that "beginDateTextBox" was before
"endDateTextBox".

Never assume that the form users will enter meaningful and sensible data
in the format that you're expecting it! For example, you will have a
broken url query part if there's a space in either of the data fields.

Rgds

Denis McMahon

 

[mcnewsxp]

This works, presumably, as long as the contents of "beginDateTextBox" and
"endDateTextBox" match the correct format.

Supposing I enter 2011-04-05 instead of 5/4/2011, and are you expecting
american or european dates?

I think you ought to do a validation check for the dates *before*
generating the query from them, although you also need to re-validate the
get data server side before using it anyway.

At the very least, you could check that "beginDateTextBox" was before
"endDateTextBox".

Never assume that the form users will enter meaningful and sensible data
in the format that you're expecting it! For example, you will have a
broken url query part if there's a space in either of the data fields.

Rgds

Denis McMahon

sure. the rudiments of data entry.

the guy who assigns my project tasks is a developer too. i am paid by
the hour - and not that much per hour...heh. so i will do whatever he
asks. he knows his users.

but the date format is validated. the user can enter it in several
formats and get the same result.

thanks again.

 

[Jonathan N. Little]

This works, presumably, as long as the contents of "beginDateTextBox" and
"endDateTextBox" match the correct format.

Supposing I enter 2011-04-05 instead of 5/4/2011, and are you expecting
american or european dates?

or something like: "; DROP TABLE ..."

;-)

 

[mcnewsxp]

or something like: "; DROP TABLE ..."

;-)

WHERE BeginDate = 'DROP TABLE' ?

 

[mcnewsxp]

or something like: "; DROP TABLE ..."

;-)

WHERE BeginDate = "DROP TABLE' ?

actually the <asparameter type="DATETIME" ....> will prevent
infusion. but i didn't mention anything about this being an app in
the OP.

 

[Jonathan N. Little]

WHERE BeginDate = "DROP TABLE' ?

No, there was a leading ";" which is important for stacking SQL queries.
But it was just an example.

actually the<asparameter type="DATETIME" ....> will prevent
infusion. but i didn't mention anything about this being an app in
the OP.

Many a SQL server has been compromised by s simple oversight and lack of
data validation.

 

[Jonathan N. Little]

Ah, little Bobby Tables, we call him.

I am just flabbergasted how often developers neglect to validate and
sanitize input! Amateur and professionally produced products.

 

[Allodoxaphobia]

the guy who assigns my project tasks is a developer too. i am paid by
the hour - and not that much per hour...heh. so i will do whatever he
asks. he knows his users.

What!!??? "he knows his users."???!!
A great percentage of his users are going to be crackers/spammers.

 

[mcnewsxp]

What!!???  "he knows his users."???!!
A great percentage of his users are going to be crackers/spammers.

its a private business site. the users will only be using it to look
at business reports. the numbers wouldn't mean anything to anyone
except the users with accounts and the number of accounts isn't really
that large.
yes, twits will hack anything tho.

 

[Jonathan N. Little]

its a private business site. the users will only be using it to look
at business reports. the numbers wouldn't mean anything to anyone
except the users with accounts and the number of accounts isn't really
that large.
yes, twits will hack anything tho.

"It's of no value to others" is a very poor security strategy. The data
on the server may be of little value to hackers but the server itself is
of value. Ignoring common security practice doesn't only comprise the
data but also the server supplying the data...another bot server on the
web to spew more spam and even more insidious things...

 

[mcnewsxp]

"It's of no value to others" is a very poor security strategy. The data
on the server may be of little value to hackers but the server itself is
of value. Ignoring common security practice doesn't only comprise the
data but also the server supplying the data...another bot server on the
web to spew more spam and even more insidious things...

please do not assume that security concerns have not been addressed.
logon is performed via web service on a separate box. data entry
validation is being performed. all i meant to say was when the boss
asks me to add code that performs additional validation i will do it -
but not before and it is nothing i need to suggest to him. he is a
developer himself so he knows the ABCs.