>I'm doing an application that reads and updates some VFP tables along with SQL Server tables.
>
>For a variety of reason, I'm not using data binding, but instead I'm constructing and executing commands as follows:
>
>string strupdatestring = "Update somast01 SET ponum = ' '" + textBoxPonum.Text + “’"
>
>During testing, I mistakenly typed a ""' in the textBoxPonum field and when the program ran the command above (ExecuteNonQuery), the provider dutifully returned a message that the command contained junk.
>
>Is there any shortcut here or do I have to check every field for things like quote signs?
>
>Besides quote signs and apostrophes, what else can bring it down?

SQL Server injection can bring this down. Next time try to type

'1;drop table Somast01'

in the testboxPoNum