Escape single quote before insert into mssql

I don't know why I am struggling with this so bad, but I have a simple form field (text area) that gets inserted into a database. After switching to mssql instead of mysqli I can't figure out how to escape the single quotes and get the insert or update to work.

if I have this form field
Comments: <textarea name="RACOMMENTS" cols="100" rows="10"  /></textarea>

and this update:
"update table set RACOMMENTS='" . $_POST['RACOMMENTS'] . "' ";
$result-sqlsrv_query($conn,$sql);

How do I escape that field to allow a word like don't or can't or sister's
BHUCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Replace the single with TWO singles.

"update table set RACOMMENTS='" . str_replace("'", "''", $_POST['RACOMMENTS']) . "' ";

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BHUCAuthor Commented:
Thank you!!!
Pawan KumarDatabase ExpertCommented:
You can use \(backslash) to escape single quotes.

Read more from - http://us3.php.net/mysql-real-escape-string
NerdsOfTechTechnology ScientistCommented:
If you were previously allowing single quotes unescaped, that means you might have other queries that can potentially be at risk.

I recommend using prepared SQL statements; not only will you avoid having to escape strings but you avoid the possibility of SQL injection attacks as well.

Otherwise escaping and sanitizing (filtering) the inputs, or in some cases the outputs (namely when the records were recorded without filtration), is recommended.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Query Syntax

From novice to tech pro — start learning today.