If you're prohibiting valid letters to protect your database because you didn't parametrize your queries, you're solving the problem from the wrong end