Escaping characters for an insert statement

[Chips]

Hello, having some trouble with this one. Checked the php.net topics for anything, nothing can be found. tried using "addslashes()" but that doesn't seem to work either!

So can anyone give me any quick pointers on what characters need to be escaped, and if they know of any functions that do this (integrated in php) or whether i'll have to use a different function and tailor it or not.

Especially relevent to:

Preventing sql injection attacks on mssql database (dunno how, but guessing ensuring they can't insert sql statements into queries that are just supposed to insert data instead!).
Allowing users names like O'Donnel etc
Allowing users to put ! ? " - ' ; : etc inside comments sections that will be logged into a database table.

Unfort having massive trouble finding any information with regards to mssql, and plenty on mysql that just doesn't work (tried addslashes and nothing was entered when putting ' into a string of text!).

Many thanks if anyone can help out.

[Barand]

To input names Like O'Donnel you need to change it to O''Donnel (2 single quotes) to insert it into the table, unlike MySql which requires \'.