565

I am storing a SQL query in my strings.xml file and I want to use String.Format to build the final string in code. The SELECT statement uses a like, something like this:

SELECT Field1, Field2 FROM mytable WHERE Field1 LIKE '%something%'

In order to format that I replace 'something' with %1$s so it becomes:

SELECT Field1, Field2 FROM mytable WHERE Field1 LIKE \'%%1$s%\'

I escape the single quotes with the backslash. However I am not able to escape the % sign.

How can I include a like statement in my strings.xml file?

HugoTeixeira
  • 4,674
  • 3
  • 22
  • 32
Matthew
  • 11,203
  • 9
  • 38
  • 44
  • Don't forget to escape the %s properly. – Seva Alekseyev Feb 16 '11 at 02:45
  • 35
    [SQL injection alert](http://unixwiz.net/techtips/sql-injection.html). [Prepare yourself](http://download.oracle.com/javase/tutorial/jdbc/basics/prepared.html). – BalusC Feb 16 '11 at 02:45
  • They'd be injecting into their own database, no concern here ;) – Matthew Feb 16 '11 at 03:06
  • 8
    Well, even if it is Your own database, it is possible to accidentally write queries that do bad things. Or just write queries that do not compile. Preparing queries is a good habit to get into. – Rauni Lillemets Nov 28 '14 at 09:16
  • Although it's slower than `String.format()` you might consider using `MessageFormat()` instead. – ccpizza May 17 '18 at 09:53

3 Answers3

1171

To escape %, you will need to double it up: %%.

limc
  • 39,366
  • 20
  • 100
  • 145
26

To complement the previous stated solution, use:

str = str.replace("%", "%%");
Cavaleiro
  • 455
  • 5
  • 7
  • 1
    This will replace % that are already doubled. Please read the other answer. – Toilal Jul 27 '16 at 06:37
  • 6
    @Toilal Why would anyone escape something that is already escaped? And if he would, why not actually do it? Maybe he intended to have two % signs, so the correct escaped form would be '%%%%' – David Balažic Oct 02 '18 at 11:58
4

This is a stronger regex replace that won't replace %% that are already doubled in the input.

str = str.replaceAll("(?:[^%]|\\A)%(?:[^%]|\\z)", "%%");
Toilal
  • 3,301
  • 1
  • 24
  • 32