Solved

Code fails to insert text from textarea into table with mediumtext field

Posted on 2007-11-20
8
468 Views
Last Modified: 2013-12-13
On a form I have a textarea object that I want to insert/update a table where it maps to a mediumtext field.

The code gives me no errors but doesn't perform the insert or update.

If I echo the sql and run it in a query window, it runs just fine (albeit without the special chars like carriage returns).

Here is the table structure:
messageid INT
type TINYINT
authorid INT
datetime DATETIME
subject VARCHAR 100
message MEDIUMTEXT

And here is the code:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . $message . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);      


Any ideas?
0
Comment
Question by:HarpuaFSB
  • 3
  • 3
  • 2
8 Comments
 
LVL 21

Expert Comment

by:nizsmo
ID: 20322675
How about trying to change the MEDIUMTEXT into TEXT?
0
 

Author Comment

by:HarpuaFSB
ID: 20322692
Do you mean change the field type or do an inline conversion?
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 20322706
Are you sure that your code connects to the DB? try a select query to make sure. Just so you know, the mysql_query will return false if there is a problem, but it will not end the script.

from the php docs:
For other type of SQL statements, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:HarpuaFSB
ID: 20322758
Yes, it connects just fine.

If I replace $message with "TEST", the query runs.

However, if I try to insert something like:
"
testing reply mode

------------ Original Message -----------
From: <a href="profile.php?id=71">Meggie D</a>
Date: 2007-11-19 10:58 AM

Testing 1..2..3...
"

it doesn't run the query.
0
 
LVL 21

Expert Comment

by:nizsmo
ID: 20322845
HarpuaFSB:

you need to use addslashes() before passing it in, to escape characters like ".
0
 
LVL 21

Accepted Solution

by:
nizsmo earned 500 total points
ID: 20322850
eg:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . addslashes($message) . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);  

Open in new window

0
 

Author Comment

by:HarpuaFSB
ID: 20322927
I thought the SafeSQL class I was using did that but I guess not.

Now my whole SQL injection defense is subject to question.  Yikes.
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 20325095
I think you would be better off with mysql_real_escape_string. See http://php.net/mysql_real_escape_string
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question