In the general case it's impossible. For example if your string is 'hello' is this a string containing quote marks that need escaping, or an already escaped string just containing the word "hello"?

As grantm pointed out the right solution is to use placeholders.

If you need to generate the SQL then you just need to keep an array of values around to pass to the execute. Every time you get to the stage that you want to embed a value in the SQL add a '?' instead and push the actual value onto your array. When you have your finished SQL you have the list of values ready to pass to execute.