String.Format is your friend

One of the consultants that works for me was trying to figure out the best way to format strings for writing messages to the event log for a Windows service he’s writing.  He was using the horrifying “blah blah blah” + + “blah blah blah” pattern that I despise.  So I took about 60 seconds to explain the goodness of String.Format to him.  It didn’t take much longer than that to convert him to using it.

A quick Google search revealed an excellent String.Format 101 blog post by Kathy Kam. Karl Seguin’s post on the same topic brings performance advantages into the discussion.  Another bit of information I didn’t know before reading his post was that the StringBuilder class has an equivalent AppendFormat method.

SQL Injection

It’s one thing to know that SQL injection is bad, and quite another to have some stats to back it up.  I came across a Michael Sutton blog post on the topic via Joel Spolsky‘s latest blog post.

Out of 708 sites checked, 80 had potential vulnerabilities to SQL injection attacks.  Beyond the importance of the topic as a security hole, the most interesting thing about Sutton’s article was the tool he built to come up with these stats.  He used a C# app with the Google API to get his results.  I only wish I had time to build a tool that clever and useful.