What kind of back end are you using?? SqlServer Oracle Mysql Access??? It makes a difference on handeling the SQL statements. Replacing the characters works unless you need them like in the case of apostophies in last names etc... Double up on the apostrophies in that case.
Like Tommy's will go correctly in as Tommy''s
I pulled this function off of a MS site a while back. It works on SqlServer. It should get you going in the right direction.
<%
Function padQuotes( instring )
REM This function pads an extra single quote in strings containing
quotes for REM proper SQL searching.
Dim bodybuild
Dim bodystring
Dim Length
Dim i
bodybuild = ""
bodystring = instring
Length = Len(bodystring)
For i = 1 to length
bodybuild = bodybuild & Mid(bodystring, i, 1)
If Mid(bodystring, i, 1) = Chr(39) Then
bodybuild = bodybuild & Mid(bodystring, i, 1)
End If
Next
bodystring = bodybuild
padQuotes = bodystring
End Function
%>
BTW CHAR(39) is an apostrophie.
Dan