SQL injection – SQLi with quote filter

I do hackin courses, and in one of the lessons I have a possible SQLi, but in the source code, there is an if clause just before the SQL statement, which filters the quote symbol:

user = "user"
pass = "pass"

if "& # 39;" in user + password:
print "error"

db.execute ("select * from users where username ="% s "and password ="% s "% (user name, password))

So, when I try to inyect in one of the fields "asdf" or "1" = "1", the if clause stops. I've tried to encode the quotation mark symbol into different encodings (hex, base64, html, etc.), but that still does not work.

PD: The code is written in Python