I have a standard text input field. It get it’s value from $_POST and I use it to build an SQL query (ODBC, not just MySQL, if that makes a difference (or instance, I can’t use mysql_escape_string() ) ) .

The query which I am building has single quotes on the PHP and double quotes on the SQL. E.g.:

$sql = 'SELECT * FROM ' . $table . ' WHERE field="' . $_POST['some_field'] . '"";

If the user includes a double quote in his input e.g 6" wrench the I get an SQL error on the unbalanced string (a single quote, as in O'reilly gives no problem).

What’s the correct way to handle this? Again, I am using the ODBC interface, not MySQL.

Is it just a matter of addslashes()? Or magic quotes?

Update: the PHP manual says of magic quotes …

This feature has been DEPRECIATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

(not that they suggests an alternative; in fact, it also says that magic quotes will be dropped in PHP 6)

Should the answer be to use prepared statements?