Ah, no. The Parameters passed to a stored procedure (or even a parameterized
query) can only safely be managed with a Command Object's Parameters
collection. In this case you pass the string (which might contain an
apostrophy) to the Parameter.Value property--ADO (or ADO.NET) handles the
issue (and several others) automatically. If you are in a position to use
the Replace method (changing single apostrophys for two), your code is
subject to SQL injection attacks--a very common failing.
--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit
www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------