1

In my MVC-App I want to create a method that will be used everywhere to avoid having any special characters like @, ", ' or anything else provoking a major problem.

So I'm trying to build this method using a regex that parses a string to detect if there's any special characters in the string and put a \ in front of them to make them harmless.

public static string ParseStringForSpecialChars(string stringToParse)
{
     const string regexItem = "^[a-zA-Z0-9 ]*$";

     string stringToReturn = Regex.Replace(stringToParse, regexItem, "\\");

     return stringToReturn;
}

There are many problems in my code: 1) I am not familiar with regex and I have troubles figuring out what I wanted to do. Here, I think I was trying to detect if there were any characters other than thos in the regexItem; 2) When the code hits the string stringToReturn = line, my app crashed as it says that the value cannot be null.

Can anyone help me out? Thanks!

EDIT

I have been asked to show an example of special characters, here they are:

'/', '.', '*', '+', '?', '|', '(', ')', '[', ']', '{', '}', '\\'

You get the idea, I just want to avoid sending a string to the database containing a ', because that will be interpreted as then end of a string and will provoke an error.

hsim
  • 2,000
  • 6
  • 33
  • 69
  • 2
    There is an `Escape` method for this... – Toon Casteele May 02 '13 at 13:11
  • @ToonCasteele do you mean `Regex.Escape`? That won't escape `@` for instance - it only escapes regex meta-characters, but the set of characters that the OP wants to escape seem to have nothing to do with regex. – Martin Ender May 02 '13 at 13:13
  • An escape method? How does it works? And as @m.buettner mentioned, I want to make sure every special characters are trapped by this behavior to avoid problems later on. – hsim May 02 '13 at 13:14
  • And I don't want to "remove" those special characters, rather put a \ in front of them to render them harmless. – hsim May 02 '13 at 13:14
  • Harmless in what context? What would be the problem with an "@" for example? – ispiro May 02 '13 at 13:17
  • Honestly, I don't know, because I also don't know if a string containing @ can do any "harm" or be read badly in a sql server string. – hsim May 02 '13 at 13:18
  • 1
    You need to make clear what characters you want escaped – Toon Casteele May 02 '13 at 13:20
  • OK. So we're talking about reading and writing to SQL? Or was that just an example? – ispiro May 02 '13 at 13:20
  • Just an example. @ToonCasteele, ok, I will add up the special characters I want to detect in my post up there. – hsim May 02 '13 at 13:22

1 Answers1

1

If you're worried about writing to sql, check out: SqlParameterCollection.AddWithValue.

As for your code, I think this is it:

public static string ParseStringForSpecialChars(string stringToParse)
{
    const string regexItem = "[^a-zA-Z0-9 ]";

    string stringToReturn = Regex.Replace(stringToParse, regexItem, @"\$&");

    return stringToReturn;
}
ispiro
  • 26,556
  • 38
  • 136
  • 291
  • Thanks, but that's not the point, I just want to parse incoming strings to format them before sending them to the database. Nice advice tho. – hsim May 02 '13 at 13:24
  • 1
    @HerveS I wasn't clear enough. This method actually escapes all data so it won't create any trouble with sql. For example: if you get a user's input and want to store it, but are afraid a malicious user might enter information like `Drop Table` - this method will escape that. As far as I know(! Might be worth double checking.) – ispiro May 02 '13 at 13:29
  • @HerveS I saw your edit. As far as I know - the method I linked to will avoid any problems like the one you mentioned. See, for example: http://stackoverflow.com/a/859140/939213 . – ispiro May 02 '13 at 13:30
  • This seems to work, but does not cover everything. I will edit my post up there to explain furthermore. – hsim May 02 '13 at 14:04
  • Ah, after a bit of work, I have found out why. I needed to add more special characters, like this: `@"\$%&'"`, and now it works :) – hsim May 02 '13 at 14:07