You can use String.Format
, you need to escape single quotes with two:
string query = string.Format("Name='{0}'", name.Replace(@"'", "''"));
var rows = dt.Select(query);
or, if you want to use Like
:
string query = string.Format("Name LIKE '%{0}%'", name.Replace(@"'", "''"));
(note that a DataTable
is not vulnerable to sql-injection since it's an in-memory object)