How to handle user input containing quotes (etc)?

I have a standard text input field. It get it's value from $_POST and I use it to build an SQL query (ODBC, not just MySQL, if that makes a difference (or instance, I can't use mysql_escape_string() ) ) .

The query which I am building has single quotes on the PHP and double quotes on the SQL. E.g.:

$sql = 'SELECT * FROM ' . $table . ' WHERE field="' . $_POST['some_field'] . '"";

If the user includes a double quote in his input e.g 6" wrench the I get an SQL error on the unbalanced string (a single quote, as in O'reilly gives no problem).

What's the correct way to handle this? Again, I am using the ODBC interface, not MySQL.

Is it just a matter of addslashes()? Or magic quotes?

Update: the PHP manual says of magic quotes ...

This feature has been DEPRECIATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

(not that they suggests an alternative; in fact, it also s开发者_如何学JAVAays that magic quotes will be dropped in PHP 6)

Should the answer be to use prepared statements?

Use PDO prepared statements. It supports ODBC

Use odbc_prepare and odbc_execute like PDO

Even easier... why not just use htmlspecialchars?

http://us3.php.net/manual/en/function.htmlspecialchars.php

I mean, it's faster, and I'm assuming that the reason why your giving users a data field that allows them to use quotes is because your going to print that data back out at some point. Which is still doable, and you don't have to change around where you store your data.