A simple way to strip out characters which can cause TSQL Code to break.
Assumes the SQL commannd is in sqlstatement and you are passing a variable in me.comment, before executing the code.

'Allows Characters such as , and ' which may break TSQL Code and Cause Injection
sqlstatement = RTrim(sqlstatement) + ",'Me.comment & "'"
'Strips out characters such as , and '
sqlstatement = RTrim(sqlstatement) + ",'Replace(Replace(Me.comment, ",", ""), "'", "") & "'"