What charectors / words are not allowed in an INSERT statement (or any statement for that matter).for example.

Code:
strInsertStatement = "INSERT INTO tblTable values('" & string1 & "','" & string2 & "','" & string3 & "')"
what charectors and or words must be striped from the string1,2,3 variables to ensure I do not get errors, I am having problems inserting ID3 comments into a database and quite often they contain various charectors that only a clown would type, and it even appears that sometimes the people who wrote the tags wrote them deliberatly in such way that problems would be encountered...
Is there a way to not worry about what the strings contain, because its giving me a headache, it would be good if there was a charector for sql statements that indicates the following text in the statement is a variable to use rather than part of the instructional statement itself, I dont know of this, but it would make it good for doing things like storing querys in a database.

I want to do as little validation as possible as the app will usually insert between 1000 and 10'000 rows, and each row has about 13 collumns, so that would leave the user with quite a wait before being able to use all of this data.

thanks in advance