The advice by dbrenth is correct. I would like to add the warning way more important than character input:
failure to use parametrized statements make the application very unsafe.
With the query string composed of some data, you can get some strings from, say, user input; and it can be anything; for example… SQL code. This way, your application is vulnerable to a well-known exploit called
SQL Injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[
^].
Read about the importance of
parametrized statements. Except for safety, they are important for performance and consistence as they are types, in contrast to strings.
By the way, you also should not use repeated string concatenation ('+') for performance reasons; because strings are immutable;
System.Text.StringBuilder
and
string.Format
are free from this problem.
—SA