On Fri, Feb 4, 2011 at 12:02 PM, David Kean <david.k...@microsoft.com> wrote: > I’m really interested in the scenario where you are passing user input as > the format string – do you have user input with placeholders ({0}) that you > need to fill?
His problem is double formatting. Something like: string likes = "Okay: {0}, I like this: {1}."; likes = string.Format(likes, "Toby, {0}, other items", "Robots"); string fullStatement= likes + " and I am reachable at {0}."; fullStatement = string.Format(fullStatement, "sy...@example.org"); Clearly, this will result in the statement: "Okay: Toby sy...@example.org, I like this: Robots and I am reachable at sy...@example.org" And not "Okay: Toby {0}, I like this: Robots and I am reachable at sy...@example.org" Which you could get from appropriately quoting the first "{0}" after "Toby". I mean, arguably this is pretty confusing anyway. But it may happen if your app is, as he says, suitably layered and passing things around. It can also be a security issue if someone builds, say, SQL statements in this matter, passing in security credentials at the end. Luckily, I would expect nobody is doing this now (I raised this years ago on a now-defunct blog). Anyway, I agree, kind of, with meski. The situation just needs to be cleaned up. Not much to do. I don't think string.Format is ideal anyway, but it's the best we've got. -- Noon Silk http://dnoondt.wordpress.com/ (Noon Silk) | http://www.mirios.com.au:8081 > Fancy a quantum lunch? http://www.mirios.com.au:8081/index.php?title=Quantum_Lunch "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."