|As Griff said, your code is vulnerable to SQL Injection[^].
Fixing it to use parameters isn't too hard:
StringBuilder sb = new StringBuilder("INSERT INTO table VALUES (");
foreach (object value in ((IDictionary<string, object>)rec).Values)
if (command.Parameters.Count != 0) sb.Append(", ");
string name = "@V" + command.Parameters.Count;
command.CommandText = sb.ToString();
However, this may still not work. You haven't specified the list of columns you want to insert into. And there's no guarantee that the dictionary's
Values collection will return the values in the same order as the columns of the table. So you could end up trying to insert the wrong value into the wrong column, which will either result in an error, or in data corruption.
Assuming the keys of your dictionary match the column names from your table, you'll want something more like this:
StringBuilder columnsList = new StringBuilder();
StringBuilder valuesList = new StringBuilder();
foreach (KeyValuePair<string, object> item in (IDictionary<string, object>)rec)
if (columnsList.Length != 0) columnsList.Append(", ");
if (valuesList.Length != 0) valuesList.Append(", ");
string name = "@" + item.Key;
command.CommandText = "INSERT INTO table (" + columnsList + ") VALUES (" + valuesList + ");";
"These people looked deep within my soul and assigned me a number based on the order in which I joined."