I have a query
$sql ="SELECT CustomerID FROM tblCustomer
WHERE EmailAddress = '".addslashes($_POST['username']) ."' AND Password = '".addslashes($_POST['password']) ."'";
// while printing, it will be
SELECT CustomerID FROM tblCustomer WHERE EmailAddress = 'test@ab\'c.com' AND Password = '123'
addslashes() will escape single quotes with a leading backslash which is valid syntax in MySQL but not in MS SQL Server. The correct way to escape a single quote in MS SQL Server is with another single quote. Use
mysql_real_escape_string() for MySQL (
mysql_escape_string() has been deprecated). Unfortunately, no analogous
mssql_ function exists so you'll have to roll your own using
preg_replace() or something similar. Better yet, use a database neutral abstraction layer such as PDO that supports parameterized queries.