A very simple approach to this is to use parameterized queries for your dynamic SQL
public DataTable LoadRecords(DateTime pStartDate, DateTime pEndDate)
{
DataTable results = new DataTable();
string sqlStatement = "SELECT R.One, R.Two, R.Three FROM dbo.Records AS R WHERE R.Date BETWEEN @StartDate AND @EndDate;";
using (SqlConnection conn = new SqlConnection(_connectionString))
{
conn.Open();
using (SqlCommand command = new SqlCommand(sqlStatement, conn))
{
command.Parameters.Add("@StartDate", SqlDbType.DateTime).Value = pStartDate;
command.Parameters.Add("@EndDate", SqlDbType.DateTime).Value = pEndDate;
using (SqlDataReader reader = command.ExecuteReader())
{
results.Load(command);
}
}
}
return results;
}
The command will automatically build the dynamic statement into a parameterized query which eliminates the SQL injection threat.