PHP SQL Server Removing Single Quotes from user entered data

Question

I have a PHP form where users can enter data. When they do, they use special characters like single quotes.

This prevents their data from being put into the SQL table. I am NOT using MySQL. I am using SQL Server.

How can I fix this?

My code is:

include'dbcon.php';
//connectiontothedatabase
$dbhandle=mssql_connect($myServer,$myUser,$myPass)
or die("Couldn't connect to SQL Server");
//selectadatabasetoworkwith
$selected=mssql_select_db($myDB,$dbhandle)
or die("Couldn't open database");
session_start();
$surnum=$_SESSION['surnum'];
$email=$_SESSION['email'];
$site=$_SESSION['site'];

$query="INSERT INTO ZSURVEYA(SURNUM_0,EMAIL_0,A_0,A_1,A_2,A_3,A_4,A_5,A_6,A_7,A_8,A_9,A_10,A_11,A_12,A_13) VALUES ('$surnum','$email',convert(varchar(max),'$_POST[Q_0]'),convert(varchar(max),'$_POST[Q_1]'),convert(varchar(max),'$_POST[Q_2]'),convert(varchar(max),'$_POST[Q_3]'),convert(varchar(max),'$_POST[Q_4]'),convert(varchar(max),'$_POST[Q_5]'),convert(varchar(max),'$_POST[Q_6]'),convert(varchar(max),'$_POST[Q_7]'),convert(varchar(max),'$_POST[Q_8]'),convert(varchar(max),'$_POST[Q_9]'),convert(varchar(max),'$_POST[Q_10]'),convert(varchar(max),'$_POST[Q_11]'),convert(varchar(max),'$_POST[Q_12]'),convert(varchar(max),'$_POST[Q_13]'))";

mssql_query($query);

Answer 1

To answer your question use addslashes() function BUT DO NOT USE IT here is why:

1. You are not sanitizing your data before using it directly into SQL
2. You should never put a variable value directly into SQL (look up SQL Injection)
3. You SHOULD use prepared statements, I am sure PDO supports SQL so I would look up PDO at php.net/pdo