Classic second order SQL injection.

Anonymous post on security.stackexchange.com?

May I recommend a CHECK constraint on the column(s) that prevent any data except letters and maybe spaces, perhaps numbers if you have to? If you have to accept any other characters, you're going down a very dark road indeed. Whitelisting is far better than trying to blacklist, but still not perfect.

As far as evading quote checking, here's a starter example showing a single-quote without having a single-quote in it:

DECLARE @test-2 CHAR(6)

SET @test-2 = 0x277465737427

PRINT @test-2

As an exercise to the reader, follow this up with sp_executesql, exec(), and so on, and play with CHAR(27).

There's a Unicode variant at http://security.stackexchange.com/questions/3611/sql-injection-but-why-isnt-escape-quotes-safe-anymore

The other common way is string truncation - a ' as the very last position still ends up as a ' in the database.

For SQL Server in particular, play with:

set quoted_identifier off

print "test"

The same question on another site:

http://stackoverflow.com/questions/15537368/how-can-sanitation-that-escapes-single-quotes-be-defeated-by-sql-injection-in-sq

Another version of the question:

http://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-use