Question: String variable as literal

K

kihoshk

I have what I THINK is an incredibly simple question, though I can't
resolve it.

I have a reference that returns a string which oftentimes contains "\".
These returned strings ar produced by a DLL, which is out of my
control. The string is assigned to a variable:

string returnedValue;
returnedValue=Encrypt("my data");
(returnedValue is assigned something like "x9wk2\nSjsk"; notice the
"\n")

I need the string to be interpereted literally elsewhere in my code
(it's being injected into a table, and the escape-sequences are being
processed in the queries and erroring-out the commands), but when I try
to convert the escape-sequence character, nothing changes:

returnedValue=returnedValue.Replace("\\","\\\\")
-or-
returnedValue=returnedValue.Replace(@"\",@"\\")

(returnedValue is still "x9wk2\nSjsk")

I'm tearing my hair out here; what am I missing?
 
B

Bruce Wood

How do you know that the contents of the string are, really,
"x9wk2\nSjsk"? How did you "see" that? In the debugger? The debugger
changes control characters into escape sequences so that you can read
them. If you saw this in the debugger, then your string probably
doesn't contain a character "\" followed by a "n", but rather a newline
character, which is probably why your database barfed.

Anyway, you should never inject data directly into SQL queries. You
should, instead, do one of two things:

1. Write a static "EscapeTextForSql" method that cleans up your text
before you inject it into your query. In particular removing
non-printable characters and doubling all single quotes.

or

2. Use SqlParameters rather than building a complete query string.
 
J

Jon Skeet [C# MVP]

I have what I THINK is an incredibly simple question, though I can't
resolve it.

I have a reference that returns a string which oftentimes contains "\".
These returned strings ar produced by a DLL, which is out of my
control. The string is assigned to a variable:

string returnedValue;
returnedValue=Encrypt("my data");
(returnedValue is assigned something like "x9wk2\nSjsk"; notice the
"\n")

I need the string to be interpereted literally elsewhere in my code
(it's being injected into a table, and the escape-sequences are being
processed in the queries and erroring-out the commands), but when I try
to convert the escape-sequence character, nothing changes:

returnedValue=returnedValue.Replace("\\","\\\\")
-or-
returnedValue=returnedValue.Replace(@"\",@"\\")

(returnedValue is still "x9wk2\nSjsk")

I'm tearing my hair out here; what am I missing?
Click to expand...

What exactly is processing the queries? If it's a SQL query, you should
use SQL parameters instead. Unless it's actually a C# compiler, you
almost certainly don't want to perform the same escaping as C# needs...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encrypting a String 1
String variable name is incorrectly used literally 19
Question on using .NET Generics with C# 1
Use a string as a Variable Name 4
Accessing the name of a variable via reflection 3
Use value of a variable, as the field name. 9
Dim xxx As String & IF? 2
Can this be done? Capture HTML rendered from an aspx page request into a string variable. 1

Top