471,605 Members | 1,651 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,605 software developers and data experts.

Question: String variable as literal

I have what I THINK is an incredibly simple question, though I can't
resolve it.

I have a reference that returns a string which oftentimes contains "\".
These returned strings ar produced by a DLL, which is out of my
control. The string is assigned to a variable:

string returnedValue;
returnedValue=Encrypt("my data");
(returnedValue is assigned something like "x9wk2\nSjsk"; notice the
"\n")

I need the string to be interpereted literally elsewhere in my code
(it's being injected into a table, and the escape-sequences are being
processed in the queries and erroring-out the commands), but when I try
to convert the escape-sequence character, nothing changes:

returnedValue=returnedValue.Replace("\\","\\\\")
-or-
returnedValue=returnedValue.Replace(@"\",@"\\")

(returnedValue is still "x9wk2\nSjsk")

I'm tearing my hair out here; what am I missing?

Dec 15 '05 #1
2 1540
How do you know that the contents of the string are, really,
"x9wk2\nSjsk"? How did you "see" that? In the debugger? The debugger
changes control characters into escape sequences so that you can read
them. If you saw this in the debugger, then your string probably
doesn't contain a character "\" followed by a "n", but rather a newline
character, which is probably why your database barfed.

Anyway, you should never inject data directly into SQL queries. You
should, instead, do one of two things:

1. Write a static "EscapeTextForSql" method that cleans up your text
before you inject it into your query. In particular removing
non-printable characters and doubling all single quotes.

or

2. Use SqlParameters rather than building a complete query string.

Dec 15 '05 #2
ki*****@gmail.com <ki*****@gmail.com> wrote:
I have what I THINK is an incredibly simple question, though I can't
resolve it.

I have a reference that returns a string which oftentimes contains "\".
These returned strings ar produced by a DLL, which is out of my
control. The string is assigned to a variable:

string returnedValue;
returnedValue=Encrypt("my data");
(returnedValue is assigned something like "x9wk2\nSjsk"; notice the
"\n")

I need the string to be interpereted literally elsewhere in my code
(it's being injected into a table, and the escape-sequences are being
processed in the queries and erroring-out the commands), but when I try
to convert the escape-sequence character, nothing changes:

returnedValue=returnedValue.Replace("\\","\\\\")
-or-
returnedValue=returnedValue.Replace(@"\",@"\\")

(returnedValue is still "x9wk2\nSjsk")

I'm tearing my hair out here; what am I missing?


What exactly is processing the queries? If it's a SQL query, you should
use SQL parameters instead. Unless it's actually a C# compiler, you
almost certainly don't want to perform the same escaping as C# needs...

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
Dec 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

16 posts views Thread by Don Starr | last post: by
19 posts views Thread by amanayin | last post: by
7 posts views Thread by al | last post: by
7 posts views Thread by Bo Sun | last post: by
16 posts views Thread by Jeroen | last post: by
5 posts views Thread by Scott | last post: by
13 posts views Thread by Aarti | last post: by
5 posts views Thread by cameljs18 | last post: by
reply views Thread by MichaelMortimer | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.