Your approach fails if I you need to insert the following data:

O\'Hara
[download]

Your routine will expand that to

O\\'Hara </c>

... which is, again, invalid. SQL injection is hard to prevent if you're interpolating arbitrary data.