On Fri, Feb 4, 2011 at 12:02 PM, David Kean <david.k...@microsoft.com> wrote:
> I’m really interested in the scenario where you are passing user input as
> the format string – do you have user input with placeholders ({0}) that you
> need to fill?
His problem is double formatting.
Something like:
string likes = "Okay: {0}, I like this: {1}.";
likes = string.Format(likes, "Toby, {0}, other items", "Robots");
string fullStatement= likes + " and I am reachable at {0}.";
fullStatement = string.Format(fullStatement, "sy...@example.org");
Clearly, this will result in the statement:
"Okay: Toby sy...@example.org, I like this: Robots and I am reachable
at sy...@example.org"
And not
"Okay: Toby {0}, I like this: Robots and I am reachable at sy...@example.org"
Which you could get from appropriately quoting the first "{0}" after "Toby".
I mean, arguably this is pretty confusing anyway. But it may happen if
your app is, as he says, suitably layered and passing things around.
It can also be a security issue if someone builds, say, SQL statements
in this matter, passing in security credentials at the end. Luckily, I
would expect nobody is doing this now (I raised this years ago on a
now-defunct blog).
Anyway, I agree, kind of, with meski. The situation just needs to be
cleaned up. Not much to do. I don't think string.Format is ideal
anyway, but it's the best we've got.
--
Noon Silk
http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 >
Fancy a quantum lunch?
http://www.mirios.com.au:8081/index.php?title=Quantum_Lunch
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
