Then you should restructure your code so that you can pass parameters. Instead of passing a string to this other method you should pass a string and an array of parameters. It is just plain bad to use string concatenation to build SQL statements except in the rare cases where it's necessary. Those cases are where the values you're inserting are identifiers rather than values. In those cases you need to validate stringently to avoid SQL injection attacks.