What about backslash?

$input = "\\'";
[download]

Now your code is going to insert a backslash in front of the ', but my backslash will eat it up, leaving my ' out there to do its dirty work. Can that actually be exploited? I honestly haven't taken the time to work out how, but the fact that it took me all of 30 seconds to find something you overlooked leads me to suspect there might be other problems. Is escaping just backslashes and single quotes enough? Maybe. My big question is, why not just use the quote function the SQL library provides? It's way, way more likely to have caught anything you, personally, have overlooked, and done it in a nice and portable, easy to use way.