i use the following function for inserting into sql - does this protect form sql injection

Function ToSQL(Value, sType)
Param = Value
if Param = "" then
ToSQL = "Null"
else
if sType = "Number" then

ToSQL = CDbl(Param)
else
ToSQL = "'" & Replace(Param, "'", "''") & "'"
end if
end if
end function

Theoretically, doubling-up all your single quotes should protect you. However, I wouldn't like to guarantee it. Personally, I use escape() to clean any string input - no doubt someone will arrive shortly to point out how insecure that is :)

The following articles (PDF) are pretty well-written and discuss at length the various ways that SQL injection attacks can work. Although they're based just on ASP / SQL Server scenarios, I'd recommend giving them a read.

Writing Secure ASP Scripts (http://www.nextgenss.com/papers/asp.pdf)
Advanced SQL Injection In SQL Server Applications (http://www.nextgenss.com/papers/advanced_sql_injection.pdf)
(more) Advanced SQL Injection (http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf)

HTH.