Simple: use parameterized queries at all times:
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand com = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con))
{
com.Parameters.AddWithValue("@C1", myValueForColumn1);
com.Parameters.AddWithValue("@C2", myValueForColumn2);
com.ExecuteNonQuery();
}
}
Or:
Using con As New SqlConnection(strConnect)
con.Open()
Using com As New SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con)
com.Parameters.AddWithValue("@C1", myValueForColumn1)
com.Parameters.AddWithValue("@C2", myValueForColumn2)
com.ExecuteNonQuery()
End Using
End Using
You must also do this for UPDATE, SELECT and suchlike queries.
If you concatenate strings to form an SQL query, you are always wide open to SQL injection.