technically injection has nothing to do with ticks & quotes.... it has to do with how the query is built. What the replace will "fix" (which I don't like becauise it manipulates the data) is cases where strName = O'Baninon.... if not properly escaped, your sql could end up looking like this:

SELECT * FROM tblUsers WHERE Name = 'O'Baninon' .. causing an error..... but szlamany is right.... it won't prevent some one from putting O';DELETE FROM tblUsers; SELECT ' into strNAme..... this would do three things... 1) Select form the table where name is "O"... then delete all users.... then return an empty string.

-tg