There is a better way. Whatever language you're using (you didn't specify--the string.Format
part) undoubtedly supports parameterized SQL execution. Stop concatenating, and instead use parameters.
For example, in C# Entity Framework you would do something like this:
string esqlQuery = @"SELECT * FROM inventory WHERE vendor_item = @vendoritem";
using (EntityCommand cmd = new EntityCommand(esqlQuery, conn)) {
EntityParameter vendoritem = new EntityParameter();
vendoritem.ParameterName = "vendoritem";
vendoritem.Value = VendorItem;
cmd.Parameters.Add(vendoritem);
// go on to execute it as shown in the above link
}
By creating a command and executing it, everything is done for you: parameter placement and formatting, including wrapping strings in single quotes and escaping single quotes or using "NULL" for null instead of "'NULL'".
One additional note is that your second code snippet has no single quotes around the token. But even if you get it "working", you're still susceptible to SQL injection. Best practice is to use parameterized SQL instead.