Normally ASP.Net (I think it's .NET doing it) will do magic with single quotes when calling a procedure. For example the following will work just fine...
dim aThing as string = "you're not as cool as your dog"
cmd.CommandText = "pkg_cool.s_you"
cmd.Parameters.Add(New OracleParameter("iSomeVar", OracleDbType.Varchar2)).Value = aThing
insert into someTable (colName),(iSomeVar)
-- the following will work fine if the asp variable "aThing" does not contain an apostrophe.
'insert into ' || vTableName || '(' || colName || ')values(''' || iSomeVar || ''')';
SQL Error: ORA-00917: missing comma
It's the RDBMS (Relational Database Management System) that escapes the apostrophe, not .NET. I'm guessing
execute immediate uses the literal string because it's designed for assembling dynamic SQL.