My main concern is with dealing with the ' character, as it can be used for SQL injection attacks. Lawliet suggested using HTML:entities which converts the ' character into its HTML value. Could placeholders be used to stop ' being processed literally as well?