Jump to content

Recommended Posts

Hey guys

 

I'm trying to insert some text from a textarea on a form, into a field in my SQL database.  The field that it Inserts into is a longtext field. 

 

It gives me this error:

 

Database query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ....etc

 

Thing is, when I cut out a couple of paragraphs of text from the end (there's about 5 short paragraphs in total) it works fine. 

 

Anyone have any idea why I'm getting a syntax error with more text?

 

Here's my SQL...

 

$SqlInsert = "UPDATE tblothercv SET KAMClientID = $KamID, Display = $display, OtherCVDesc = '".$_POST["description"]."', ItemType = '$cvtype'
				  WHERE  WriterCVautoID = $CVOtherautoID " ; 

Link to comment
https://forums.phpfreaks.com/topic/175929-solved-syntax-error-on-text-field/
Share on other sites

It's probably what the text is, not how much of it.

 

ALL string data that is put into a query statement must be escaped to prevent SQL special characters from breaking the syntax of the query and to help prevent sql injection.

 

You need to use mysql_real_escape_string on any string data put into a query.

The value you are inserting most likely has characters in it that needs escaped.  Try this:

 

OtherCVDesc = '" . mysql_real_escape_string($_POST["description"]) . "'

 

Additionally, I would reconsider placing POST values directly inside a query without doing some sort of data sanitizing first.

 

 

//REMOVE LEADING AND ENDING SPACES AND SLASHES
$sanitize = trim(strip_tags(stripslashes($_POST["description"])));

//DEFINE OUR KNOWN BAD CHARACTERS
$badChars = array('@', '#', '$', '%', '^', '*', '(', ')', '<', '>', '{', '}', '[', ']');

//DEFINE WHAT WE WILL REPLACE EACH BAD CHARACTER WITH
$replaceChars = array('', '', '', '', '', '', '', '', '', '', '', '', '', '');

//REMOVE DANGEROUS CHARACTERS THAT WE KNOW DON'T NEED TO BE ANY THE STRING
$sanitize = str_replace($badChars, $replaceChars, $sanitize);

//ANY LAST REMAINING CHARS THAT NEED ESCAPED
$sanitize = mysql_real_escape_string($sanitize);

//ISSUE THE VARIABLE AS A VALUE TO THE QUERY
OtherCVDesc = '$sanitize'

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.