Escaping apostrophe using PHP/MSSQL and ODBC

[Eiolon]

I am using PHP with ODBC to connect to an existing MSSQL database to query for some names.  When I query a name that has an apostrophe in it, I get an error.

 

Example typing O'Malley as the name:

 

Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver]

Incorrect syntax near 'malley'., SQL state 37000 in SQLExecDirect

[/quote]


I have used addslashes to the string but get the same result:


[code]

$string = addslashes($_POST['string']);


$connect = odbc_connect("$mssql_name", "$mssql_user", "$mssql_pass");


		$query_mssql = "SELECT pr.NameFirst, pr.NameLast, pr.NameMiddle, pr.Birthdate, p.Barcode, p.OrganizationID

		FROM PatronRegistration pr 

		JOIN Patrons p ON (pr.PatronID = p.PatronID)

		WHERE pr.NameLast = '$string'";


		$result = odbc_exec($connect, $query_mssql);

[/code]

 

Any ideas?

[Pikachu2000]

Echo $string and see if the ' was escaped properly.

[PFMaBiSmAd]

In mssql you escape a single-quote using another single-quote.

[Eiolon]

Ah, thanks.  I used eregi to escape it and it's working now.

[Pikachu2000]

Not 100% certain, but IIRC you can set magic_quotes_sybase to On in your php.ini file, and addslashes will work properly with it.