I'm trying to build up a string that I can send to either SQL Server or VFP. I'm passing this command via ADO.NET's ExecuteNonQuery() method. I'm having a hard time coming up with the escape sequences that would allow embedded quotes (single and double) in the string. I could just parse them out, which is easy, but I'd prefer to let the user be able to enter them w/o opening my code up to SQL injection attacks. For example, if the user entered this string:

That's harder to do than it looks.

I need to update a description column using this string, so the update might look like:

public bool Update(string strDescr)
{
   string sqlUpdate = "UPDATE mytable SET mycolumn = \'" + strDescr + "\'" + "WHERE miPK = 5"
   
   // Call to ADO.NET to ExecuteNonQuery()
}

Of course, this isn't going to work because of the embedded single quote in the string the user entered. So, I figured I could add a method to my SQL parser class that escapes everything out for me. But, I'm not having much luck getting this to work. Has anyone been down this road? Any pointers or ideas on how to do this? I decided to build the string manually because VFP doesn't support parameters (arg...). I get the feeling I wouldn't have to go through this if it did.