Does this code prevent SQL injection?

Question

Background

I\'ve been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to pr

Answer 1

I think it's safe (at least in SQL server), and I also think the only thing you actually need to do is s = s.Replace("'", "''"). Of course you should use parameterized queries, but you already know that.