Parameterize your query using a SQL Command object.
using (SqlConnection con = new SqlConnection(connectionString))
{
con.Open();
using SqlCommand cmd= new SqlCommand(
"SELECT Code From Products WHERE Description = @description", con);
{
cmd.AddParameterWithValue("@description", Description);
using SQL DataReader dr = cmd.ExecuteDataReader;
{
}
}
}
Parameterization protects from SQL injection AND deals with special characters (in this case, just the apostrophe)