In PHP, you can use the sqlsrv_real_escape_string() function to escape strings in SQL Server.
You can use the preg_replace function in PHP to remove all non-numeric characters from a string.