I'm having trouble with some string values being passed to a database with ASP. I'm building the string as follows:

conn.Execute "UPDATE Employees SET FirstName = '" & Request.Form("FirstName&#34 & "', " ... and so on.

The problem lies where the string value contains special characters. e.g One of the string values might be:

"Hello World's"

If this string is passed to my database it stops at the sigle quote mark like so:
UPDATE Employees SET FirstName = 'Hello World'

Thus throwing up an error when getting to the next value. What can I do to get around this? I have tried Server.URLEncode but that passes (of course) the encoded version to the database. Is this the best option and then decode it somehow when I display the data later on??

Please help.