532

I am storing a SQL query in my strings.xml file and I want to use String.Format to build the final string in code. The SELECT statement uses a like, something like this:

SELECT Field1, Field2 FROM mytable WHERE Field1 LIKE '%something%'

In order to format that I replace 'something' with %1$s so it becomes:

SELECT Field1, Field2 FROM mytable WHERE Field1 LIKE \'%%1$s%\'

I escape the single quotes with the backslash. However I am not able to escape the % sign.

How can I include a like statement in my strings.xml file?

HugoTeixeira
  • 4,221
  • 3
  • 20
  • 30
Matthew
  • 10,543
  • 9
  • 36
  • 44
  • Don't forget to escape the %s properly. – Seva Alekseyev Feb 16 '11 at 02:45
  • 32
    [SQL injection alert](http://unixwiz.net/techtips/sql-injection.html). [Prepare yourself](http://download.oracle.com/javase/tutorial/jdbc/basics/prepared.html). – BalusC Feb 16 '11 at 02:45
  • They'd be injecting into their own database, no concern here ;) – Matthew Feb 16 '11 at 03:06
  • 8
    Well, even if it is Your own database, it is possible to accidentally write queries that do bad things. Or just write queries that do not compile. Preparing queries is a good habit to get into. – Rauni Lillemets Nov 28 '14 at 09:16
  • Although it's slower than `String.format()` you might consider using `MessageFormat()` instead. – ccpizza May 17 '18 at 09:53

3 Answers3

1118

To escape %, you will need to double it up: %%.

Tim Cooper
  • 151,519
  • 37
  • 317
  • 271
limc
  • 38,266
  • 19
  • 97
  • 142
21

To complement the previous stated solution, use:

str = str.replace("%", "%%");
Cavaleiro
  • 405
  • 4
  • 7
  • 1
    This will replace % that are already doubled. Please read the other answer. – Toilal Jul 27 '16 at 06:37
  • 4
    @Toilal Why would anyone escape something that is already escaped? And if he would, why not actually do it? Maybe he intended to have two % signs, so the correct escaped form would be '%%%%' – David Balažic Oct 02 '18 at 11:58
3

This is a stronger regex replace that won't replace %% that are already doubled in the input.

str = str.replaceAll("(?:[^%]|\\A)%(?:[^%]|\\z)", "%%");
Toilal
  • 3,121
  • 1
  • 23
  • 32