And that just right there is a defect you've put in your armor needlessly. Rather than placeholder values which never enter the SQL engine's parsing purview you're going to hang your security on quotes "always" being escaped and, more importantly, being escaped correctly (to say nothing of not maliciously being escaped incorrectly). The "standard procedure" should be to pass values outside the context of an SQL statement with placeholders so there's no possibility of the values' contents affecting the parse of the statement itself.
The cake is a lie.
The cake is a lie.
The cake is a lie.