Inserting string with < and > operators into Database using PHP

Question

I am trying to insert a string from my web application into the database I've connected to.

String is passed from JavaScript to PHP using AJAX perfectly fine, but when the insert is executed, the string cuts off whatever is after the "<" or ">" operators.

example string: "Return to doctor <= 7 days after surgery"

what is inserted now: "Return to doctor "

desired insertion: "Return to doctor <= 7 days after surgery"

This is the code I have right now:

$string = $_POST['string'];
$sqlInsert = "UPDATE table set string = ? where date = ?";
$run = odbc_prepare($conn, $sqlInsert);
odbc_execute($run, array($string,$date));

this insertion works great for other strings without great than or less than operators

Answer 1

It is very likely that the insert is performing the operation without any issues and those < and > symbols are safely stored in your database.

The issue which you are experiencing is outputting that data to the browser. The web browser treats the < as an opening tag for an html tag. Basically, you are supplying the browser with some made up <= 7 days after surgery> html tag so it just ignores it as invalid html.

This is what you need in order to see your special characters without mucking up your html:

echo htmlentities($row['string']);

Answer 2

You can use N prefix in your query,If you write strings with the N prefix into a varchar field it will be implicitly converted. for example

values (N'Return to doctor >= 7')

You can read more details in this answer this answer