How sofisticated is the solution depend in a lot of factor. For example, if you obtain data for a untrusted way (for example, a querystring in a webpage) you must check against sql injection.

A minimal solution i do is:

Public Function FormatearValor(ByVal Campo As DataColumn, ByVal Valor As Object)
Select Case Campo.DataType.Name
Case "String"
Return "'" + CType(Valor, String) + "'"
Case "DateTime"
Return "'" + CType(Valor, DateTime).ToShortDateString + "'"
Case Else
Return Valor
End Select
End Function

A more complex is build (or use) a sql parser and build the sql string not by concanetation but rather using something like:

loSql.Tables.Add("Customers")
loSql.Fields.Add("*")
loSql.Orders.Add("Name","ASC")
loSql.Where.Add("Name",Equalto,FormatearValor(...

return loSql.ToString()

This way is easy chechk for valid inputs and that. You can build easy a parsert like this using the Regex class & regular expression... I do 1 year ago a class like that with manual coding and take 2 days (sorry, is under copyright) but if you don't want to build this or not found, i can share ideas in this forum...