Try using SqlParameters
Dim commandString As String = <![CDATA[
INSERT INTO blah VALUES (@One, @Two, @Three, @n)
]]>,Value()
Using command As SqlCommand = new SqlCommand(commandString, connection)
command.Parameters.AddWithValue("@One", valueOne)
command.Parameters.AddWithValue("@Two", valueTwo) ' etc...
' command.execute
End Using