Page History

Many classes allow inclusion of escape sequences in character and string literals; examples include Pattern as java.util.regex.Pattern as well as classes that support XML- and SQL-based actions by passing string arguments to methods. According to the Java Language Specification [ (JLS 2005]), Section 3 §3.10.6, "Escape Sequences for Character and String Literals" [JLS 2013],

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3.10.4) and string literals (§3.10.5).

Correct use of escape sequences in string literals depends on correct requires understanding of how the escape sequences are interpreted by the Java compiler as well as how they are interpreted by any subsequent processor, such as a SQL engine. SQL statements written in Java, for example, sometimes require certain escape characters or sequences (e.g., sequences containing may require escape sequences (for example, sequences containing \t, \n, \r) in certain cases, such as when storing raw text in a database. When representing SQL queries statements in Java string formliterals, all each escape sequences sequence must be preceded by an extra backslash for correct interpretation.

As another example, consider the Pattern class used in performing regular expression-related tasks. A string literal used for pattern matching is compiled into an instance of the Pattern type. When the pattern to be matched contains a sequence of characters identical to one of the Java escape sequences — sequences—"\" and "n", for example — the example—the Java compiler treats that portion of the string as a Java escape sequence and transforms the sequence into a an actual newline character. To avoid inserting a insert the newline escape sequence, rather than a literal newline character, the programmer must precede the "\n" sequence with an additional backslash to prevent the Java compiler from treating it as an escape sequencereplacing it with a newline character. The string constructed from the resulting sequence,

Code Block
"\\n"

consequently contains the correct two-character sequence \n and correctly denotes back references rather than a newlinethe escape sequence for newline in the pattern.

In general, for a particular escape character of the form \X, the equivalent Java representation is

Code Block
"\\X"

Noncompliant Code Example (String Literal)

This noncompliant code example defines a method, splitWords(), that finds matches between the string literal (WORDS) and the input sequence. The programmer believes that string literals can be used as is for regular expression patterns and consequently initializes the string WORDS to "\b", expecting that the string literal will It is expected that WORDS would hold the escape sequence for matching a word boundary. However, the Java compiler treats the "\b" literal as a Java escape sequence, and the string WORDS silently compiles to a regular expression that checks for a single backspace character.

Code Block

bgColor	#FFCCCC


public class BadSplitterSplitter {
  private// finalInterpreted Stringas WORDS = "\b";backspace
  // Fails to split on word boundaries
  private final String WORDS = "\b";

  public String[] splitWords(String input) {
    Pattern ppattern = Pattern.compile(WORDS);
    String[] input_array = ppattern.split(input);
    return input_array;
  }
}

Compliant Solution (String Literal)

This compliant solution shows the correctly escaped value of the string literal WORDS that results in a regular expression designed to split on word boundaries.:

Code Block

bgColor	#ccccff


public class GoodSplitterSplitter {
  // Interpreted as two chars, '\' and 'b'
  // Correctly splits on word boundaries
 private private final String WORDS = "\\b"; 

  public String[] split(String input){
    Pattern pattern = Pattern.compile(WORDS);
    String[] input_array = pattern.split(input);
    return input_array; // Allows splitting on word boundaries
  }
}

Noncompliant Code Example (String Property)

This noncompliant code example uses the same method, splitWords(). This time the WORDS string is loaded from an external properties file.

Code Block

public class Splitter {
  private final String WORDS;
 
  public Splitter() throws IOException {
    Properties properties = new Properties();
    properties.load(new FileInputStream("splitter.properties"));
    WORDS = properties.getProperty("WORDS");
  }

  public String[] split(String input){
    Pattern ppattern = Pattern.compile(WORDS);
    String[] input_array = ppattern.split(input);
    return input_array;
  }
}

...

In the properties file, the WORD property is once again incorrectly specified as \b.

Code Block

bgColor	#FFCCCC

WORDS=\b

This is read by the Properties.load() method as a single character b, which causes the split() method to split strings along the letter b. Although the string is interpreted differently than if it were a string literal, as in the previous noncompliant code example, the interpretation is incorrect.