There are numerous ways to bypass filters. Most of them are encoding, such as hexadicmal or unicode entities. (ie. %XX or %u00XX)
Also, sometimes you can use double-byte characters. Where two characters may not filtered such as '? (there's a special character like this, it only works with mysql_escape_string(), and there's also some tricks to bypass addslashes too. Google for them!
So, these are pretty common, however it also depends on the implementation of the "security". For example, a pseudo query like this would be insecure: SELECT lolcats FROM hats WHERE (id=$USERINPUT);
This is because the attacker, even if ' and " has a backslash appended, can just end the parentheses and inject his own code like this: ) UNION SELECT 0x41414141 FROM blah and so forth.
There's a lot of tricks, and a good book to read besides numerous articles you can find on google by searching for "encoding", "bypass", etc., is The Web Application Hackers Handbook. It will probably help you a lot