Don’t rely upon character replacement for sql injection defenses. Parameterize your queries and if that isn’t possible at least use the native escape functions.
Oops my bad. In this case, since it blocks apostrophe ( %27) , it removes the ‘25’ which is actually represents % (%25) instead to nullify the apostrophe which gives the result of %27 ?