Heavily used functions

[Phil Barber]

I do a alot SQL statements, these statements require alot of quoted
strings. to this end I have a small one line routine:
private string QuotedStr(string Value)
{
return "'"+Value+"'";
}
I usel this function many , many times.
the probem I have is I need to write this small function (along with others)
in each class, web form, etc I use.
I would really like to write this in one class and use it ervery place. I
looked into static functions, but you land up referenceing the function by
MyClass.QuotedStr(). well this is alittle better but,
I guess what I am looking for is a way to globalize this function. It would
be great if I could some how just add it to the string class, anyway any
ideas would be appriciated.
Phil.

 

[Bruce Wood]

No, you need to do exactly what you outlined: make it a static method
in some class. Here is mine:

/// <summary>
/// Formats a database value into a string format suitable for
query operations.
/// For example, strings are quoted.
/// </summary>
/// <param name="columnValue">The value to be used in a SQL
statement.</param>
/// <returns>A string representation of that value.</returns>
public static string ValueToSQLString(object columnValue)
{
switch (Type.GetTypeCode(columnValue.GetType()))
{
case TypeCode.String:
return "'" + EscapeText(columnValue.ToString()) +
"'";
default:
return EscapeText(columnValue.ToString());
}
}

/// <summary>
/// Escapes the given text so that it can appear within single
quotes in a
/// SQL statement.
/// </summary>
/// <param name="textToEscape">The string to escape.</param>
/// <returns>The escaped string, ready to be included in a
/// SQL statement.</returns>
public static string EscapeText(string textToEscape)
{
string backslashesEscaped = textToEscape.Replace(@"\",
@"\\");
string backslashAndSingleQuoteEscaped =
backslashesEscaped.Replace(@"'", @"\'");

return backslashAndSingleQuoteEscaped;
}

Remember that you have to escape any quote characters and backslash
characters in your Value in order to prevent SQL injection attacks!
This is the value of always calling a central method rather than doing
it in every form!

 

[Jon Skeet [C# MVP]]

I do a alot SQL statements, these statements require alot of quoted
strings.

Can you not use parameterised statements? That would be a lot better in
general - potentially faster, less garbage created, and safer from SQL
injection attacks.

to this end I have a small one line routine:
private string QuotedStr(string Value)
{
return "'"+Value+"'";
}
I usel this function many , many times.
the probem I have is I need to write this small function (along with others)
in each class, web form, etc I use.
I would really like to write this in one class and use it ervery place. I
looked into static functions, but you land up referenceing the function by
MyClass.QuotedStr(). well this is alittle better but,
I guess what I am looking for is a way to globalize this function. It would
be great if I could some how just add it to the string class, anyway any
ideas would be appriciated.

You certainly can't add it to the string class.

I can't remember for sure, but I *think* that in C# 2.0 you could do
something like:

using static MyClass;

along with your other using directives, and that that would allow you
to just call QuotedStr. For the moment, just use MyClass.QuotedStr(...)