Escape quote in web.config connection string

asp.net escaping web-config connection-string
Sebastian P.R. Gingter picture Sebastian P.R. Gingter · Jul 5, 2010 · Viewed 103.4k times · Source

I have a connection string in my web config:

<add name="MyConString" connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word" providerName="System.Data.SqlClient" />

As you see, there is a quotation sign ( " ) in the password (given from other dept. I can't change this db users password).

How do I have to escape the quote in this connection string?

Btw: I already tried & quot; in the string. That didn't work - ado.net got an ArgumenException then: "Format of the initialization string does not conform to specification starting at index 57." 57 is where the & quot; is in my connection string. I also tried enclosing the password part in ' - didn't work either.

Also tried "" and \" - web.config can't be parsed then.

Thanks for the solution:

I had to combine the escaping of the double quote and putting the password in single quotes:

<add name="MyConString" connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass&quot;word'" providerName="System.Data.SqlClient" />

Answer

Oded picture Oded · Jul 5, 2010

Use &quot; instead of " to escape it.

web.config is an XML file so you should use XML escaping.

connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass&quot;word"

See this forum thread.

Update:

&quot; should work, but as it doesn't, have you tried some of the other string escape sequences for .NET? \" and ""?

Update 2:

Try single quotes for the connectionString:

connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass"word'

Or:

connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass&quot;word'

Update 3:

From MSDN (SqlConnection.ConnectionString Property):

To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotation marks. If the value contains both a semicolon and a double-quote character, the value can be enclosed in single quotation marks.

So:

connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass&quot;word'"

The issue is not with web.config, but the format of the connection string. In a connection string, if you have a " in a value (of the key-value pair), you need to enclose the value in '. So, while Password=somepass"word does not work, Password='somepass"word' does.

Related questions

How do I give JavaScript variables data from ASP.NET variables?

I have created a SCORM API for our LMS and right now I am using hard coded userID and courseID variables (variables that reference things in the database). I need to pass the real userID and courseID instead of using …

Read More
Razor ViewEngine: How do I escape the "@" symbol?

I'm trying to output some Twitter handles in ASP.NET MVC3 in conjunction with the Twitter @Anywhere API, and I haven't been able to figure out how to actually escape the "@" symbol in a Razor view. Does anyone know what …

Read More
URL with multiple parameters as a query string in ASP.NET

In ASP.NET, I build a string redirectURL to redirect to ADFS form with multiple query string parameters. One such complex parameter is the returnURL with multiple parameters. My problem is that only the first parameter of the returnURL is …

Read More