I'm doing an application that reads and updates some VFP tables along with SQL Server tables.

For a variety of reason, I'm not using data binding, but instead I'm constructing and executing commands as follows:

string strupdatestring = "Update somast01 SET ponum = ' '" + textBoxPonum.Text + “’"

During testing, I mistakenly typed a ""' in the textBoxPonum field and when the program ran the command above (ExecuteNonQuery), the provider dutifully returned a message that the command contained junk.

Is there any shortcut here or do I have to check every field for things like quote signs?

Besides quote signs and apostrophes, what else can bring it down?