Escape string in mssql/php

Question

I want to insert html-code in database. How can I correctly escape string?

$html = '<tag>';
$sql = 'UPDATE table SET text = ? WHERE id = 1';
$stmt = sqlsrv_prepare($conn, $sql, array(&$html));
sqlsrv_execute($stmt);

This code throw error: Incorrect syntax near '<'.

Your code is absolutely good. What versions of PHP and SQLSRV do you use? It might be a bug in PHP extension. — kba, Nov 11 '15 at 09:13

score -2 · Answer 1 · edited Oct 23 '15 at 13:42

-2

Escape the HTML with

htmlspecialchars($html)

This function changes < to the HTML code for <

This will fix you problem.

edited Oct 23 '15 at 13:42

Funk Forty Niner

answered Oct 23 '15 at 13:32

KBeckers

1 Answers1