• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 479
  • Last Modified:

Code fails to insert text from textarea into table with mediumtext field

On a form I have a textarea object that I want to insert/update a table where it maps to a mediumtext field.

The code gives me no errors but doesn't perform the insert or update.

If I echo the sql and run it in a query window, it runs just fine (albeit without the special chars like carriage returns).

Here is the table structure:
messageid INT
type TINYINT
authorid INT
datetime DATETIME
subject VARCHAR 100
message MEDIUMTEXT

And here is the code:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . $message . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);      


Any ideas?
0
HarpuaFSB
Asked:
HarpuaFSB
  • 3
  • 3
  • 2
1 Solution
 
nizsmoDeveloperCommented:
How about trying to change the MEDIUMTEXT into TEXT?
0
 
HarpuaFSBAuthor Commented:
Do you mean change the field type or do an inline conversion?
0
 
mankowitzCommented:
Are you sure that your code connects to the DB? try a select query to make sure. Just so you know, the mysql_query will return false if there is a problem, but it will not end the script.

from the php docs:
For other type of SQL statements, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
HarpuaFSBAuthor Commented:
Yes, it connects just fine.

If I replace $message with "TEST", the query runs.

However, if I try to insert something like:
"
testing reply mode

------------ Original Message -----------
From: <a href="profile.php?id=71">Meggie D</a>
Date: 2007-11-19 10:58 AM

Testing 1..2..3...
"

it doesn't run the query.
0
 
nizsmoDeveloperCommented:
HarpuaFSB:

you need to use addslashes() before passing it in, to escape characters like ".
0
 
nizsmoDeveloperCommented:
eg:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . addslashes($message) . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);  

Open in new window

0
 
HarpuaFSBAuthor Commented:
I thought the SafeSQL class I was using did that but I guess not.

Now my whole SQL injection defense is subject to question.  Yikes.
0
 
mankowitzCommented:
I think you would be better off with mysql_real_escape_string. See http://php.net/mysql_real_escape_string
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now