Make content safe for MSSQL insertion

I’ve written a program for my company which retreives an email from a mailbox, inserts the content into an MSSQL table, then deletes the email.

In MSSQL you need to escape the ’ character by using another ’ character. I have therefore used the following code to make the content db safe:

$emailContent = str_replace("'", "''", $emailContent);

This normally avoids any insertion errors. However, after receiving a large HTML encoded email I received the following error message:

PHP Warning:  mssql_query(): message: Unclosed quotation mark after the character string 'View online version: <[Redirect Error]('. (severity 15)

Unfortunately the email was deleted before I got a chance to examine it properly. Would anyone be able to tell me some extra measures I could take to make the content db safe?

Many thanks

pretty hard to tell where that extra quote is, because the error message itself looks like it uses quotes around the problematic string

also, regarding this…

that’s actually standard SQL

in fact, mysql also supports it, even though most people are more used to seeing mysql’s non-standard backslash escape character

Thanks for your reply r937.

After examining the problem further it appears it may have occured because the email content was too large for the db column which has a max limit of 8000 chars. I’ve now taken measures to prevent this.