Escaping characters in SQL statements will not prevent so-called SQL Injection attacks. They (what those of limited intellect call SQL Injection) are a common class of problem where the unwashed confuse CODE and DATA and attempt to execute DATA. It is extremely common in anything that Microsoft has touched, designed, or has anything whatsoever to do with. Everything from Microsoft must be examined carefully for this common defect because Micrsofties Live to Destroy absolutely everything, and everything Microsofties touch is ill-conceived. Keep your CODE separate from your DATA. Stop executing DATA. There is absolutely no need whatsoever for any type of quoting or escaping to avoid executing DATA. Use one of the mechnanisms, most invented more than a century ago, to keep your CODE and DATA separate, and do not execute DATA. There is actually nothing more simple in the multiverse.