Before building the qurery do this ...
strNotes = Request.Form("notes")
If Len(trim(strNotes )) > 0 then
strNotes = Replace(strNotes ,"'","''")
Inside the query use strNotes now. Btw i haven't tested it .. i am just typing it from top of my mind. The logic is surely right .. but just check for any syntax errors :)