Escape quote in web.config connection string

asp.net escaping connection-string web-config

Solution 1:

Use " instead of " to escape it.

web.config is an XML file so you should use XML escaping.

connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word"

See this forum thread.

Update:

" should work, but as it doesn't, have you tried some of the other string escape sequences for .NET? \" and ""?

Update 2:

Try single quotes for the connectionString:

connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass"word'

Or:

connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass"word'

Update 3:

From MSDN (SqlConnection.ConnectionString Property):

To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotation marks. If the value contains both a semicolon and a double-quote character, the value can be enclosed in single quotation marks.

So:

connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass"word'"

The issue is not with web.config, but the format of the connection string. In a connection string, if you have a " in a value (of the key-value pair), you need to enclose the value in '. So, while Password=somepass"word does not work, Password='somepass"word' does.

Solution 2:

connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word"

Since the web.config is XML, you need to escape the five special characters:

& -> & ampersand, U+0026
&lt; -> < left angle bracket, less-than sign, U+003C
&gt; -> > right angle bracket, greater-than sign, U+003E
&quot; -> " quotation mark, U+0022
&apos; -> ' apostrophe, U+0027

+ is not a problem, I suppose.

Duc Filan adds: You should also wrap your password with single quote ':

connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass&quot;word'"

Solution 3:

if &quot; isn't working then try &#34; instead.

Solution 4:

Odeds answer is almost complete. Just one thing to add.

  1. Escape xml special chars like Emanuele Greco said.
  2. Put the password in single quotes like Oded said
  3. (this one is new) Escape single ticks with another single tick (ref)

having this password="'; this sould be a valid connection string:

connectionString='Server=dbsrv;User ID=myDbUser;Password='&quot;&amp;&amp;;'

Related

What is the difference between multiprocessing and subprocess?
Decoding base64 in batch
How to make a conditional typedef in C++
In jQuery, how can I tell between a programmatic and user click?
Force all Areas to use same Layout
python JSON only get keys in first level
What is the difference between SqlCommand.CommandTimeout and SqlConnection.ConnectionTimeout?
Detect if text has overflowed [duplicate]
OpenSSL: unable to verify the first certificate for Experian URL
How do I store a current user context in AngularJS?
NSString to CFStringRef and CFStringRef to NSString in ARC?
Where does flask look for image files?