Use prepared statements if possible. If that won't work, simply double each apostrophe in a string when including user data into a SQL code. (Quotations marks with `"` are in SQL only for names. You can double the quotation mark too for this purpose if needed.) When including numbers you can just use them as it is (if you have verified that it is in fact a number, and not some other type instead), and blobs can be written as hex with `X'...'`.