[SQLObject] SQL quoting and injection

[<jws...@ra...>]

To what degree does SQLObject or SQLbuilder prevent SQL injection attacks? I
will be accepting user input that may contain ('),("), or (;). Do I need to
filter this in my app or does it 'just work'?