RynMan Posted September 29, 2009 Share Posted September 29, 2009 Hey guys I'm trying to insert some text from a textarea on a form, into a field in my SQL database. The field that it Inserts into is a longtext field. It gives me this error: Database query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ....etc Thing is, when I cut out a couple of paragraphs of text from the end (there's about 5 short paragraphs in total) it works fine. Anyone have any idea why I'm getting a syntax error with more text? Here's my SQL... $SqlInsert = "UPDATE tblothercv SET KAMClientID = $KamID, Display = $display, OtherCVDesc = '".$_POST["description"]."', ItemType = '$cvtype' WHERE WriterCVautoID = $CVOtherautoID " ; Link to comment https://forums.phpfreaks.com/topic/175929-solved-syntax-error-on-text-field/ Share on other sites More sharing options...
PFMaBiSmAd Posted September 29, 2009 Share Posted September 29, 2009 It's probably what the text is, not how much of it. ALL string data that is put into a query statement must be escaped to prevent SQL special characters from breaking the syntax of the query and to help prevent sql injection. You need to use mysql_real_escape_string on any string data put into a query. Link to comment https://forums.phpfreaks.com/topic/175929-solved-syntax-error-on-text-field/#findComment-927012 Share on other sites More sharing options...
phporcaffeine Posted September 29, 2009 Share Posted September 29, 2009 The value you are inserting most likely has characters in it that needs escaped. Try this: OtherCVDesc = '" . mysql_real_escape_string($_POST["description"]) . "' Additionally, I would reconsider placing POST values directly inside a query without doing some sort of data sanitizing first. //REMOVE LEADING AND ENDING SPACES AND SLASHES $sanitize = trim(strip_tags(stripslashes($_POST["description"]))); //DEFINE OUR KNOWN BAD CHARACTERS $badChars = array('@', '#', '$', '%', '^', '*', '(', ')', '<', '>', '{', '}', '[', ']'); //DEFINE WHAT WE WILL REPLACE EACH BAD CHARACTER WITH $replaceChars = array('', '', '', '', '', '', '', '', '', '', '', '', '', ''); //REMOVE DANGEROUS CHARACTERS THAT WE KNOW DON'T NEED TO BE ANY THE STRING $sanitize = str_replace($badChars, $replaceChars, $sanitize); //ANY LAST REMAINING CHARS THAT NEED ESCAPED $sanitize = mysql_real_escape_string($sanitize); //ISSUE THE VARIABLE AS A VALUE TO THE QUERY OtherCVDesc = '$sanitize' Link to comment https://forums.phpfreaks.com/topic/175929-solved-syntax-error-on-text-field/#findComment-927014 Share on other sites More sharing options...
RynMan Posted September 29, 2009 Author Share Posted September 29, 2009 Ah perfect. Works great - thanks guys!!! Link to comment https://forums.phpfreaks.com/topic/175929-solved-syntax-error-on-text-field/#findComment-927016 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.