Can Not Insert Link into MySql using Prepared Statement

Question

I Have created a form, which inserts data into a MySQL database. Here are the Form Fields, they are part of a <form> but, i have not displayed the whole form here, just the fields which are creating a problem.

<tr> <td>Top 728x90 As</td><td><textarea name='topad'><?=$r['topad']?></textarea></td</tr>
<tr> <td>Sidebar 250x250 Ad</td><td><textarea name='sidebarad'><?=$r['sidebarad']?></textarea></td></tr>

This part of code processes the input and inserts it into the database.

if(isset($_POST['submit'])) {

    $topad = $_POST['topad'];
    $sidebarad = $_POST['sidebarad'];

    $update = $connection->prepare("UPDATE site SET topad = '$topad' , sidebarad = '$sidebarad' WHERE id=1");
    $update->execute(array());
}

The Problem with this code is, it is not accepting/processing the part of the data involving the <a href="#"> & </a> code. This is not about escaping HTML characters, because all the other HTML tags like <img> ,etc are showing as it is, which is what I want.

So, whenever I insert and <a> tag, it just disappears, neither it get's inserted in the database nor it shows up in the form after pressing submit button.

UPDATE: When the link is inserted using Double Quotes, it gets accepted. If I use Single Quotes it is not processed. Eg <a href="someurl"> will be accepted in the DB, while <a href='someurl'> will not.

Why does this error happen ?

Answer 1

The reason is because you are using prepared statement but the values are not parameterized. Try below,

$topad = $_POST['topad'];
$sidebarad = $_POST['sidebarad'];

$update = $connection->prepare("UPDATE site SET topad = :topad , sidebarad = :sidebarad WHERE id=1");
$update->execute(array(':topad' => $topad, ':sidebarad' => $sidebarad));

• How can I prevent SQL injection in PHP?