No, they still don't prevent Sql Injection, you should use SqlParameters to pass your values to the SQL Server. See
MSDN documentation[
^] for more on this.
The worst scenario in SQL Injection has been provided by you... To delete the table and then comment out the rest of the statement. Even if you allow quotes or not, it will exploit your database, you (however) are going to pass SQL command in a string format, and what do you think prevents user from adding a quote himself?
If I have to design a pattern, I would also not rely on SQL parameters. I would first try to validate the user's input, before even creating or constructing the SQL command. If the input is ok, then I would create the SQL command, also again... Passing the values using SQL parameters.