Performance-wise (and security-wise wrt possible sql-injecting hacks) I
would use a SQLCommand object and a parameterised query rather than a
direct SQL string (therefore removing the requirement for this type of
function)
Merak
> I have the following helper method to format sql string parameters:
>
> public static string DoQuotes(string sqlParam)
> {
> if (sqlParam.IndexOf("'") > 0)
> {
> sqlParam = sqlParam.Replace("'","''");
> }
>
> return "'" + sqlParam + "'";
> }
>
>
> Is there a better way, performance-wise?
>
> thanks, Greg
You can read messages from the DOTNET archive, unsubscribe from DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
