Problems with hard coded sql statements

[Krokonoster]

Just for the record, I would never hard-code sql statements in my code. All my data access goes via MS Enterprise Library to stored procedures.

However, had to take over this one guy's code (several projects) and all his code uses hard coded sql statements.
Would have loved to change it all, but there's no time for that, and have to use the programs as is, and fix issues as they arise (while going on with my own projects!!!)

Just now I found that he does not escape single colon's in his sql strings, and therefore (in this case) insert statement will fail if a single colon in it.

What would be the quickest way to address this problem. Perhaps create a method that escape sql strings and change his code from
string sql = "" to
string sql = MyCleaningFunction("Insert into aaa blah blah blah");
?

[techgnome]

you mean tick marks ' ... not colons, which is :

I don't know that creating a cleaning function would be any easier and faster than converting the queries into parameterized ones, I'm not suggesting using sprocs... keep the SQL inline, but use parameters instead. You're going to have to modify all those lines anyways... might as well do it proper and right.

-tg

[Krokonoster]

hell what was I thinking. meant single quotes...or ticks (first time I hear it called that).

dude, it's really a LOT of code (though I agree with you).

either case, will see. thought there might be a .net function for this (other than string.replace....)

[Evil_Giraffe]

I'd second a vote for converting the queries to parameterised queries.

There's nothing inherently wrong with hard coded SQL (modulo parameterised queries and other safety techniques of course) if the scale of the application is small. Sometimes a big framework will be over-engineering.