I have a PHP form where users can enter data. When they do, they use special characters like single quotes.
This prevents their data from being put into the SQL table. I am NOT using MySQL. I am using SQL Server.
How can I fix this?
My code is:
include'dbcon.php';
//connectiontothedatabase
$dbhandle=mssql_connect($myServer,$myUser,$myPass)
or die("Couldn't connect to SQL Server");
//selectadatabasetoworkwith
$selected=mssql_select_db($myDB,$dbhandle)
or die("Couldn't open database");
session_start();
$surnum=$_SESSION['surnum'];
$email=$_SESSION['email'];
$site=$_SESSION['site'];
$query="INSERT INTO ZSURVEYA(SURNUM_0,EMAIL_0,A_0,A_1,A_2,A_3,A_4,A_5,A_6,A_7,A_8,A_9,A_10,A_11,A_12,A_13) VALUES ('$surnum','$email',convert(varchar(max),'$_POST[Q_0]'),convert(varchar(max),'$_POST[Q_1]'),convert(varchar(max),'$_POST[Q_2]'),convert(varchar(max),'$_POST[Q_3]'),convert(varchar(max),'$_POST[Q_4]'),convert(varchar(max),'$_POST[Q_5]'),convert(varchar(max),'$_POST[Q_6]'),convert(varchar(max),'$_POST[Q_7]'),convert(varchar(max),'$_POST[Q_8]'),convert(varchar(max),'$_POST[Q_9]'),convert(varchar(max),'$_POST[Q_10]'),convert(varchar(max),'$_POST[Q_11]'),convert(varchar(max),'$_POST[Q_12]'),convert(varchar(max),'$_POST[Q_13]'))";
mssql_query($query);
