kumarrana Posted January 4, 2008 Share Posted January 4, 2008 I am writing a blog, but I have been getting same error on my mysql. My MySQL field types are postid/(int(6)), title/(varchar(200)), category/(varchar(200)), post/(longtext), identification/(int(11)), date_crated/(timestamp). What I noticed is when I have really long post (100 words), I get error like " You have an error in your SQL syntax". Plus my timestamps is giving all zero values. Anybody has any idea what is wrong with my table? Quote Link to comment Share on other sites More sharing options...
awpti Posted January 4, 2008 Share Posted January 4, 2008 You're probably not escaping single or doublequotes and are inadvertently causing a little SQL Injection mischief. make sure to escape all content being inserted ( mysql_real_escape_string() ) Quote Link to comment Share on other sites More sharing options...
kumarrana Posted January 4, 2008 Author Share Posted January 4, 2008 I am using stripslashes(). Like $title = stripslashes($_POST['title']). Doesn't it do like mysql_real_escape_string()? Can you give a analogous example? That would be grea. Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 4, 2008 Share Posted January 4, 2008 can we see the code that why we help? Quote Link to comment Share on other sites More sharing options...
kumarrana Posted January 4, 2008 Author Share Posted January 4, 2008 function dump_in_mysql_post() { $title = stripslashes($_POST['title']); $category = stripslashes($_POST['category']); $body = stripslashes($_POST['body']); echo $title . "<br>". $category . "<br>" . $body . "<br>"; $dump_in_mysql_post = "INSERT INTO `post` VALUES('$postid', '$title', '$category', '$body', '$identification', '$date_created')"; $dump_in_mysql_post = mysql_query($dump_in_mysql_post); if(!$dump_in_mysql_post) { echo "Error on querying post ". "<b> ". mysql_error() . "</b>"; } else { echo "Title : " . $title . " <br> " ; echo "Category: " . $category . " <br> "; echo "Body: " . $body . " <br> "; echo "Identification : " . $identification; echo "Blog entry has been submitted"; } } Quote Link to comment Share on other sites More sharing options...
awpti Posted January 4, 2008 Share Posted January 4, 2008 You don't want to stripslashes, you want to use mysql_real_escape_string - this escapes content to make it "query-safe". Quote Link to comment Share on other sites More sharing options...
Northern Flame Posted January 4, 2008 Share Posted January 4, 2008 stripslashes() and mysql_real_escape_string() are nothing alike! use mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 4, 2008 Share Posted January 4, 2008 change timestamp table to int(35) change timestamp to now() in the insert use the mysql_real_escape_string() function Quote Link to comment Share on other sites More sharing options...
kumarrana Posted January 4, 2008 Author Share Posted January 4, 2008 Great! Seem to be working. . Thanks a lot. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.