single quotes in SQL need escaping else can lead to injection