I have a link with a url variable I need to pass to a page where this variable will be used in a dynamic SQL query that I've coded in Javascript like this:

href:"ceilingtile_browse.cfm?category=24" by 24""

Is there a better way to do this?
And, how can I use this category variable in a SQL query so that the quotes and spaces don't cause a problem?

I think the simplest solution will be using simple quotes:
href:'ceilingtile_browse.cfm?category=24" by 24"'

But IMO is safer if your url has encoded strings and you unencode on your server (that way you can add simple quotes, double quotes, semicolons, ampersands, foreign characters, etc.)

PERL Example:
to encode: $stringEncoded =~ s/([^A-Za-z0-9])/ ord($1)<256 ? sprintf("%%%02X",ord($1)) : $1 /seg;
to unencode: $stringUnencoded =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;

You can also do it in JavaScript with the escape function. They have a pretty good example at http://javascript.internet.com/forms/encode-special-characters.html

Good luck!!!