http://msmvps.com/blogs/manoj/archive/2005/03/15/14551.aspxJust came across this post while looking for the "{{" escape format... Thanks! But I couldn't help but see you were using string.Format to construct a SQL statement. :O I have just given a talk with the ASP.NET team about SQL Injection attacksenCommunityServer 2008.5 SP2 (Build: 40407.4157)