Escape SQL strings when Parameterized Queries cannot be used?

Update: See also this preexisting question, and its answe开发者_如何学Pythonrs, of which this question is effectively a duplicate.

I'm using a 3rd-party API that takes a WHERE condition fragment of a SQL Statement

e.g. ThirdPartyFunction(where:"Category = 'abc'", top:5)

I have strings passed through a UI or web service and need to prevent against SQL injection attack.

Without the use of parameterized queries, and without an alternate method in the .NET framework to escape SQL strings (that I know of), I expect to manually escape the SQL string.

I have ideas about the best way to write an escape method but am looking for THE most secure solution.

Parameterized query would definitely be the safest, however you could do a replace on any single quotes, with two single quotes. So if the user tries to enter malicious query within the 'abc' portion, it would handle it as a string.

What third party library are you using? Have you checked to ensure that they do not provide ability to parameterize your calls to their methods also?