(1) Make sure that you update an existing table/column/row
(2) Make sure that the command that you use does not contain the character (') because sql will not be able to recognize the syntax as a command.
For example :
"UPDATE testtable SET Test_Col_1 = 'someString' WHERE Test_Col_1 = 'someSt'ring'
So what you could do in this is to write a method to make sure that (') will never be stand alone
This should work :
private string generateQueryableString(string s)
{
if (s == null){
return "";
}
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < s.Length; i++){
if (s[i] == '\''){
if (!((((i - 1) >= 0) && s[i - 1] == s[i]) ^
(((i + 1) < s.Length) && s[i + 1] == s[i]))){
stringBuilder.Append(s[i]);
}
}
stringBuilder.Append(s[i]);
}
return stringBuilder.ToString();
}
Side Note: It might be good for you to use, String.format() to organize your command