Is it still possible to inject SQL string (hex values or sth like that) with single or double quotes although they are filtered? I mean is that filtering good against that types of attacks...
fe: If I enter ' got \'
If I enter \' I got \\

Read this, maybe it's useful.
http://www.securityfocus.com/infocus/1768
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
http://www.ebcvg.com/articles.php?id=210