That's still trivial to bypass: q{us' or 'x' == 'x}. Better is to use placeholders and not let the SQL parser see user input to begin with.

Update: Or worse if the database in question allows compound statements, q{us'; drop table unpw; --}