How do I convert a string into safe SQL String?

Question

I\'m generating some sql insert statements from a bunch of text files.

These text files are generally user input data. I would like to sanitize this data so that it\

Answer 1

There is only a single character you have to escape: ansi 0x27, aka the single quote:

safeString = unsafeString.Replace("'","''");

Answer 2

Don't sanitize your strings. Use parameterized queries instead, as they handle all sanitization.

You don't specify which database you are using, so I assume it is MS SQL Server. Microsoft has an article on the official ASP.net website about this. Also see MSDN for SqlCommand.Parameters and the AddWithValue method.