Just for the record, I would never hard-code sql statements in my code. All my data access goes via MS Enterprise Library to stored procedures.

However, had to take over this one guy's code (several projects) and all his code uses hard coded sql statements.
Would have loved to change it all, but there's no time for that, and have to use the programs as is, and fix issues as they arise (while going on with my own projects!!!)

Just now I found that he does not escape single colon's in his sql strings, and therefore (in this case) insert statement will fail if a single colon in it.

What would be the quickest way to address this problem. Perhaps create a method that escape sql strings and change his code from
string sql = "" to
string sql = MyCleaningFunction("Insert into aaa blah blah blah");
?