It my be interesting to read this : http://lwn.net/Articles/185813/
And, IMHO: In a web app you can take advantage of the posibility of having several layers, the n-layers model, to validate and filter, even change at your need the users input when security of your apps is at risk. In that sense avoiding undesired chars in the db tables start at the web pages in form of jsvascript validation, goes on on the middleware, and can be done last time in functions that inserts content in tables.
Personally I do prefer to use functions ( stored procs ) for inserts and updates of table contents, never use SQL code neither in web pages, neither in middleware objects, always there is a function that insert or modify the tables content. This allows me to have the db structure deep at the bottom layer of the app, and only people dealing with db knows the real structure of the tables, or db.