Hi MasterLayouts ;-)
Good question. Your query is *probably* safe but I would only assume so if your users are responsible people that you know and trust, like coworkers who are trying to do their jobs. If the program will be accessed by outside users, for example in the Internet, I would assume someone will eventually do something either stupid or malicious and get you in trouble.
I try to sanitize input if possible but, as you mention, you can have trouble when a valid value contains special characters like quotes.
Some database tools provide a method to get around this issue. In .NET you can build a Command object that represents a query and attach Parameter objects to it. The query holds placeholders (SELECT * FROM People WHERE Name='@') and the parameter objects hold the values to plug in for the placeholders. Then if the user enters something crazy like X' OR TRUE, the database will not interpret the value and instead look for names that actually match X' OR TRUE. That won't happen so the user won't be able to break into the database by using SQL injection in that way.
I don't know if your database tools support this type of query. Most of my work is with SQL Server and other databases using the .NET database libraries where this technique works.
In MySQL, you may be able to use mysql_real_escape_string. It escapes special characters, although this post:
How to prevent SQL injection with dynamic tablenames?
indicates that it may have trouble with back ticks.
You might be able to write your own code to escape every non-alphanumeric character. Or you might be able to remove the most unusual characters and escape those that remain.
Another trick that can be useful is to execute the query in a transaction and see how many rows it affects. If you expect it to affect 1 row but the database indicates that it will affect 15,000 rows, you can roll back the transaction. Often a SQL injection attack will try to return more rows than should be allowed so again, if you expect a query to return 1 - 10 rows but it returns 800, don't show the results to the user.