Escape quote in web.config connection string
Solution 1
Use "
instead of "
to escape it.
web.config is an XML file so you should use XML escaping.
connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word"
See this forum thread.
Update:
"
should work, but as it doesn't, have you tried some of the other string escape sequences for .NET? \"
and ""
?
Update 2:
Try single quotes for the connectionString:
connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass"word'
Or:
connectionString='Server=dbsrv;User ID=myDbUser;Password=somepass"word'
Update 3:
From MSDN (SqlConnection.ConnectionString Property):
To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotation marks. If the value contains both a semicolon and a double-quote character, the value can be enclosed in single quotation marks.
So:
connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass"word'"
The issue is not with web.config, but the format of the connection string. In a connection string, if you have a "
in a value (of the key-value pair), you need to enclose the value in '
. So, while Password=somepass"word
does not work, Password='somepass"word'
does.
Solution 2
connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word"
Since the web.config is XML, you need to escape the five special characters:
&
-> &
ampersand, U+0026
<
-> <
left angle bracket, less-than sign, U+003C
>
-> >
right angle bracket, greater-than sign, U+003E
"
-> "
quotation mark, U+0022
'
-> '
apostrophe, U+0027
+ is not a problem, I suppose.
Duc Filan adds:
You should also wrap your password with single quote '
:
connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass"word'"
Solution 3
if
isn't working then try "
instead."
Solution 4
Odeds answer is almost complete. Just one thing to add.
- Escape xml special chars like Emanuele Greco said.
- Put the password in single quotes like Oded said
- (this one is new) Escape single ticks with another single tick (ref)
having this password="'; this sould be a valid connection string:
connectionString='Server=dbsrv;User ID=myDbUser;Password='"&&;'
Sebastian P.R. Gingter
Consultant at Thinktecture AG, Fulltime geek, loving father and trying to become an even better .NET Ninja.
Updated on July 08, 2022Comments
-
Sebastian P.R. Gingter almost 2 years
I have a connection string in my web config:
<add name="MyConString" connectionString="Server=dbsrv;User ID=myDbUser;Password=somepass"word" providerName="System.Data.SqlClient" />
As you see, there is a quotation sign ( " ) in the password (given from other dept. I can't change this db users password).
How do I have to escape the quote in this connection string?
Btw: I already tried & quot; in the string. That didn't work - ado.net got an ArgumenException then: "Format of the initialization string does not conform to specification starting at index 57." 57 is where the & quot; is in my connection string. I also tried enclosing the password part in ' - didn't work either.
Also tried "" and \" - web.config can't be parsed then.
Thanks for the solution:
I had to combine the escaping of the double quote and putting the password in single quotes:
<add name="MyConString" connectionString="Server=dbsrv;User ID=myDbUser;Password='somepass"word'" providerName="System.Data.SqlClient" />
-
Sebastian P.R. Gingter almost 14 yearsThis doesn't work. This obvisously would work, if it was in plain xml, but not within an attribute value.
-
Sebastian P.R. Gingter almost 14 yearsnope. doesnt work. already tried this before asking here... wouldn't have asked...
-
Oded almost 14 years@Sebastian P.R. Gingter - strange that this does not work. Did you try other escape sequences?
-
Sebastian P.R. Gingter almost 14 yearsYes. The whole Web.config can't be parsed when using "" and \". & quot; is not replaced with " within the string and the query string can't be parsed resulting in the stated error. If it were that easy I wouldn't have asked here ;-)
-
Oded almost 14 years@Sebastian P.R. Gingter - people here cannot guess at what you have tried and what you know. You need to include such details in your question (as you now have).
-
Matthew Abbott almost 14 yearsWhat encoding does your web.config use?
-
Sebastian P.R. Gingter almost 14 yearsGreat, thanks. Combining enclosing the password-part in single quotes and using & quot; instead of the double quote worked out.
-
Siken almost 10 yearsIt was the ampersand for me, in a password, stored in the web.config. Obvious, while at the same time being pretty non-obvious to track down. The error that an Azure Website gives you when this is the case in the web.config - "The page cannot be displayed because an internal server error has occurred." It doesn't appear to write anything to the error logs either. Thanks to the OP for the question and you for this reminder.
-
Jo Smo almost 8 yearsI had two double quotes in my password (in the connectionString). Couldn't get it to work. I changed my password. It worked with only one double quote in my password. I also tried to double encode it, but it didn't work.
-
Bluebaron over 4 yearsI think you mean
password='''';
is valid. But your suggestion is the only thing that worked for me. This is actually used in other escape schemes, too. -
Dzianis Yafimau over 4 yearsWhat about square brackets? ([])
-
Kiquenet over 4 yearsand for character &? & ?
-
Kiquenet about 4 yearsMy pass is
h7Ca9;b%
, contains;
character -
Kiquenet about 4 yearsAnd
;
character ? -
Oded about 4 years@Kiquenet - first, you shouldn't post your full password here... And second, that's already been answered:
To include values that contain a semicolon, single-quote character, or double-quote character, the value must be enclosed in double quotation marks. If the value contains both a semicolon and a double-quote character, the value can be enclosed in single quotation marks.
-
Kiquenet about 4 years@Oded pass is not real,only generated