Solved

Code fails to insert text from textarea into table with mediumtext field

Posted on 2007-11-20
8
460 Views
Last Modified: 2013-12-13
On a form I have a textarea object that I want to insert/update a table where it maps to a mediumtext field.

The code gives me no errors but doesn't perform the insert or update.

If I echo the sql and run it in a query window, it runs just fine (albeit without the special chars like carriage returns).

Here is the table structure:
messageid INT
type TINYINT
authorid INT
datetime DATETIME
subject VARCHAR 100
message MEDIUMTEXT

And here is the code:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . $message . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);      


Any ideas?
0
Comment
Question by:HarpuaFSB
  • 3
  • 3
  • 2
8 Comments
 
LVL 21

Expert Comment

by:nizsmo
Comment Utility
How about trying to change the MEDIUMTEXT into TEXT?
0
 

Author Comment

by:HarpuaFSB
Comment Utility
Do you mean change the field type or do an inline conversion?
0
 
LVL 24

Expert Comment

by:mankowitz
Comment Utility
Are you sure that your code connects to the DB? try a select query to make sure. Just so you know, the mysql_query will return false if there is a problem, but it will not end the script.

from the php docs:
For other type of SQL statements, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.
0
 

Author Comment

by:HarpuaFSB
Comment Utility
Yes, it connects just fine.

If I replace $message with "TEST", the query runs.

However, if I try to insert something like:
"
testing reply mode

------------ Original Message -----------
From: <a href="profile.php?id=71">Meggie D</a>
Date: 2007-11-19 10:58 AM

Testing 1..2..3...
"

it doesn't run the query.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 21

Expert Comment

by:nizsmo
Comment Utility
HarpuaFSB:

you need to use addslashes() before passing it in, to escape characters like ".
0
 
LVL 21

Accepted Solution

by:
nizsmo earned 500 total points
Comment Utility
eg:
$sql = "INSERT INTO messages ";

$sql .= "(";

$sql .= "type, ";

$sql .= "authorid, ";

$sql .= "datetime, ";

$sql .= "subject, ";

$sql .= "message";

$sql .= ") VALUES (";

$sql .= "0, ";

$sql .= $fromuserid . ", ";

$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";

$sql .= "\"" . $subject . "\", ";

$sql .= "\"" . addslashes($message) . "\"";

$sql .= ")";

$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks

$sql = $safesql->query($sql);

mysql_select_db($mysql);

mysql_query($sql);  

Open in new window

0
 

Author Comment

by:HarpuaFSB
Comment Utility
I thought the SafeSQL class I was using did that but I guess not.

Now my whole SQL injection defense is subject to question.  Yikes.
0
 
LVL 24

Expert Comment

by:mankowitz
Comment Utility
I think you would be better off with mysql_real_escape_string. See http://php.net/mysql_real_escape_string
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Responsive Design Tools 6 33
How to Insert a File Using Text Editor 9 49
Wordpress type image upload 10 24
Time difference 10 32
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now