SQLite Forum

The characters to be escaped in Sqlite3 to prevent Sql Injection
Tim's reply is the key one here.  Prepared statements have no dangerous characters, including 0x00.  But to your point, the apostrophe character is the only character you need to worry about, and you've already found what to do about it.

You might want to escape other characters including the percent sign if you're using user-sourced strings for searching, but that's a detail of how your program works, and a dangerous thing to do anyway.  If you want to do it I suggest you read about the ESCAPE clause, as described in