I did read up yesterday on parameterized SQL statements and I have used them before but I thought they were just a stupid, ugly, less intuitive way of doing it :P I didn't know the objects used automatically handled single quotes and stuff. I'm going to replace all my lovely string concatonation SQL statements eventually but for the time being we defintely don't have the time to replace every single SQL statement in the entire program and remove all the existing single quote wrapping code for strings and stuff. I basically have to fix the problem right by um...yesterday :P so I figured since I have to write code to switch back the ' and all them, I might as well just add in one line that adds an escape character if that works and then after that's in place, start redoing the database interaction the correct way. So would it work in the meantime to just replace every character that access in sensitive to with a single quote before it?