INSERTing very long string in an SQL query - ERROR

Question

The problem is that whenever I input a big-ass text in the form of my php page and try to INSERT it through a SQL query into the database, it gives me an error like this:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 'sample title', 'spent the long months of the rainy season shut up in a small room th' at line 1"

The query is this:

$sql = "INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, '$topic', '$message')";

The interesting thing is that it gives me no error when I manually insert the values and run the query in phpmyadmin.

score 2 · Answer 1 · answered Aug 11 '12 at 19:02

2

I bet there are single quotes ( ' ) in the string. Escape $topic before using it in your INSERT.

answered Aug 11 '12 at 19:02

Cranio

9,647
4
35
55

score 1 · Accepted Answer · answered Aug 11 '12 at 19:07

Use prepared statements:

$db = new PDO(...);
$stmt = $db.prepare("INSERT INTO `d` (`user_id`, `title`, `message`) VALUES ($user_id, :topic, :message)");
// I'm assuming that title is a VARCHAR(50) and message is a VARCHAR(500)
$stmt->bindParam(":topic", $topic, PDO::PARAM_STR, 50);
$stmt->bindParam(":message", $topic, PDO::PARAM_STR, 500);
$stmt->execute();

This places the job of escaping / properly passing data squarely in the hands of the database engine - which is where it belongs. Avoid building SQL strings from user input wherever you can and you'll avoid many potential SQL injection attacks.

INSERTing very long string in an SQL query - ERROR

2 Answers2

Linked