Quote:
For a sql string to be sent in C# I need to convert ' character inside the inside the string to " character.
No, you don't.
Based on the description, you're trying to "escape" special characters in a SQL query, because you're using string concatenation to add parameters to the query. But that leaves your code vulnerable to
SQL Injection[
^].
Instead, you need to use a parameterized query. That way, you don't need to worry about "special" characters, and you can just submit the values unchanged.
For example:
string theName = "Seamus O'Leary";
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand("SELECT SomeColumns FROM YourTable WHERE SomeName = @Name And SomeDate >= @MinDate", connection))
{
command.Parameters.AddWithValue("@Name", theName);
command.Parameters.AddWithValue("@MinDate", DateTime.Today);
...
}
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]