Re: backslashing a quote in a string

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ed Kaim (ed_at_sharplogic.com)
Date: 01/21/05 

Date: Fri, 21 Jan 2005 06:51:19 -0800

Besides the double-quote issue, you should consider the potential security
implications of this code. I don't know what your backend is, but having
someone use something like

';drop foo;select * from foo where bar like '

in the textbox could cause problems down the road.

"glenn" <ghan***@softeksoftware.com> wrote in message
news:%23XfR7z7$EHA.3616@TK2MSFTNGP11.phx.gbl...
> Sure thing:
>
> What has happened is I"m working on an old database schema where some of
> the
> fields have spaces in their name. When this happens the database requires
> that you put double quotes around the field names when issuing a query.
> So
> here is where I am building the string to make up a query where the user
> selects what elements they want to search on. This is only a fragment...
>
> if ( serialbox.Text != "" )
>
> query += "\"Equipment Serial Number\" like '%" + serialbox.Text + "%' ";
>
> before sending this I tested one more time while my brain was fresh and I
> think last night that I did not replace the \ with another quote because I
> just did it again and its working now. I'm sorry for the trouble. I had
> been going since about 5:30am yesterday and it was late...
>
> Thanks for the help,
>
> glenn
>
>
> "Tim Wilson" <TIM(UNDERSCORE)WILSON(AT)ROGERS(PERIOD)COM> wrote in message
> news:%23%23Vpft7$EHA.2180@TK2MSFTNGP12.phx.gbl...
>> The @ means verbatim or accept the string "as is". The only escapes
>> really
>> being necessary for quotes. Can you describe your problem in a little
>> more
>> depth using exact source code snippets where appropriate?
>>
>> --
>> Tim Wilson
>> .Net Compact Framework MVP
>>
>> "glenn" <ghan***@softeksoftware.com> wrote in message
>> news:OjDCDh3$EHA.1604@TK2MSFTNGP12.phx.gbl...
>> > Well I have been seeing that @ like that and have not figured out what
>> that
>> > is doing, but in this case it won't let me compile after I remove the
>> > backslashes because the double quote throws it off...
>> >
>> > glenn
>> >
>> > "Tim Wilson" <TIM(UNDERSCORE)WILSON(AT)ROGERS(PERIOD)COM> wrote in
> message
>> > news:eXLy5Z3$EHA.1908@TK2MSFTNGP15.phx.gbl...
>> > > Does the following string get you any farther?
>> > > string query = @"field1 = val1 and ""field2"" = val2";
>> > >
>> > > --
>> > > Tim Wilson
>> > > .Net Compact Framework MVP
>> > >
>> > > "glenn" <ghan***@softeksoftware.com> wrote in message
>> > > news:OSqTLP3$EHA.3124@TK2MSFTNGP11.phx.gbl...
>> > > > I have a function call that needs text sent to it for a query.
>> > > > Some
>> > > fields
>> > > > require a double quote around the field name so I do my variable as
>> > > such...
>> > > >
>> > > > query = "field1 = val1 and \"field2\" = val2";
>> > > >
>> > > > This is all cool, however, when I send that query string through a
>> > > function
>> > > > call it ends up with the following:
>> > > >
>> > > > query = "field1 = val1 and \\\"field2\\\" = val2";
>> > > >
>> > > > It backslashes the original backslash that I had to put there in
> order
>> > to
>> > > > get the compiler to work. Can anyone tell me another way to do
>> > > > this
>> so
>> > I
>> > > > can finish this program? its the last thing I have to figure
>> > > > out...
>> > > >
>> > > > Thanks,
>> > > >
>> > > > glenn
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>

Quantcast