• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 476
  • Last Modified:

Code fails to insert text from textarea into table with mediumtext field

On a form I have a textarea object that I want to insert/update a table where it maps to a mediumtext field.

The code gives me no errors but doesn't perform the insert or update.

If I echo the sql and run it in a query window, it runs just fine (albeit without the special chars like carriage returns).

Here is the table structure:
messageid INT
type TINYINT
authorid INT
datetime DATETIME
subject VARCHAR 100
message MEDIUMTEXT

And here is the code:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . $message . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);      


Any ideas?
0
HarpuaFSB
Asked:
HarpuaFSB
  • 3
  • 3
  • 2
1 Solution
 
nizsmoDeveloperCommented:
How about trying to change the MEDIUMTEXT into TEXT?
0
 
HarpuaFSBAuthor Commented:
Do you mean change the field type or do an inline conversion?
0
 
mankowitzCommented:
Are you sure that your code connects to the DB? try a select query to make sure. Just so you know, the mysql_query will return false if there is a problem, but it will not end the script.

from the php docs:
For other type of SQL statements, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
HarpuaFSBAuthor Commented:
Yes, it connects just fine.

If I replace $message with "TEST", the query runs.

However, if I try to insert something like:
"
testing reply mode

------------ Original Message -----------
From: <a href="profile.php?id=71">Meggie D</a>
Date: 2007-11-19 10:58 AM

Testing 1..2..3...
"

it doesn't run the query.
0
 
nizsmoDeveloperCommented:
HarpuaFSB:

you need to use addslashes() before passing it in, to escape characters like ".
0
 
nizsmoDeveloperCommented:
eg:
$sql = "INSERT INTO messages ";
$sql .= "(";
$sql .= "type, ";
$sql .= "authorid, ";
$sql .= "datetime, ";
$sql .= "subject, ";
$sql .= "message";
$sql .= ") VALUES (";
$sql .= "0, ";
$sql .= $fromuserid . ", ";
$sql .= "\"" . date("Y-m-d H:i:s", time()) . "\", ";
$sql .= "\"" . $subject . "\", ";
$sql .= "\"" . addslashes($message) . "\"";
$sql .= ")";
$safesql = & new SafeSQL_MySQL; //class module to protect against SQL injection attacks
$sql = $safesql->query($sql);
mysql_select_db($mysql);
mysql_query($sql);  

Open in new window

0
 
HarpuaFSBAuthor Commented:
I thought the SafeSQL class I was using did that but I guess not.

Now my whole SQL injection defense is subject to question.  Yikes.
0
 
mankowitzCommented:
I think you would be better off with mysql_real_escape_string. See http://php.net/mysql_real_escape_string
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now