There is no need to restrict your users’ ability to use apostrophes or quote characters in input. This simple filtering technique allows unrestricted use of quotes and apostrophes, and can help guard against many SQL injection attacks to boot.
SQL will accept either the quote (“) character or the apostrophe (‘) as a string delimiter, although the latter is preferred. If the string includes an embedded delimiter character, the string is terminated early, and what follows is treated as a new SQL statement, which is where the injection vulnerability comes into play. However, paired delimiter characters are treated as a single embedded non-delimiter character, which suggests the simple solution: use an apostrophe as the delimiter, and filter the string and replace every apostrophe with two apostrophes.
I use a standard function when generating dynamic SQL statments which takes a string as input and returns a bounded and filtered statement component. What follows is VBScript, but can easily be converted to any language. Note that the function returns the string ‘Null’ when the sIn argument value is an empty string.”
Public Function SQLBoundString(ByVal sIn) If sIn = "" Then SQLBoundString = 'Null' Else SQLBoundString = "'" & Replace(sIn, "'", "''") & "'" End IfEnd Function