0

I have a textarea that inserts into a database when submitted. It works when the text is typed, but sometimes does not work when the text was pasted into the textarea. Instead, it posts successfully, no errors,

Text copied from some webpages/websites work, for example text copied from blindtextgenerator.com, but not text copied from thebestpageintheuniverse.net (just for example.)

I'm not sure what the circumstance is that cause pasted text not to be inserted into the database. I've been running tests and I don't believe it's caused by links, tabs, new lines, or the size of the text.

Here is the relevant php file

 if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    header("/venue/index.php");

$title = $_POST['title'];
$post = $_POST['post'];
$title = htmlentities($title);
$post = htmlentities($post);
      $operation = "INSERT INTO talk (title, user, post)
                          VALUES('". $title ."','". $_SESSION['name'] ."', '". $post ."');";

$result = mysqli_query($con, $operation); 

}
Goose
  • 4,764
  • 5
  • 45
  • 84
  • Stop trying to build SQL by smashing strings together. Your problems are almost certainly due to doing that incorrectly. I don't know why you are claiming there aren't any errors, your code doesn't look to see if database is reporting any in the first place. – Quentin Sep 01 '14 at 12:56
  • The solution is probably the same as http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Quentin Sep 01 '14 at 12:57
  • I'll try that, but what does that issue have to do with pasted text? – Goose Sep 01 '14 at 13:02
  • The issue can't be because you are pasting text. It must be because of characters in it. – Quentin Sep 01 '14 at 13:04
  • I'll try it. If I use PDO or MySQLi bind_param, should I remove htmlentities, or is that still needed? – Goose Sep 01 '14 at 13:07
  • You should remove htmlentities anyway. That is for use when you are putting data into an HTML document, not a database. – Quentin Sep 01 '14 at 13:08
  • @Quentin - "you shouldn't remove"... rather than "you should remove" – Mark Baker Sep 01 '14 at 13:09
  • @MarkBaker — No. This is code for inserting data into a database. Therefore the OP should not pass the data through `htmlentities` first. They should remove that code. (And, as implied, use it when the data is later taken out of the database and put in an HTML document). – Quentin Sep 01 '14 at 13:10
  • I think I was misunderstanding the context of what you said.... I interpreted it as you should still call htmlentities to remove markup special characters.... apologies – Mark Baker Sep 01 '14 at 13:13
  • PDO is still not working, check the code in the update in my question. – Goose Sep 01 '14 at 13:20
  • @Goose is this problem already solved? – John Robertson Sep 08 '14 at 04:14

2 Answers2

4

When I was copying and pasting into textarea it won't allowing me to insert value in database.

Now I found the solution

HTML --- <textarea name="description"></textarea>

PHP --- Please add addslashes like $text = addslashes($_POST['description']);

$query = "INSERT INTO addevent(event_description) VALUES ('$text')"; 
mysqli_query($conn,$query) or die('unsuccessful');

This worked for me. Let me know if this worked for you also.

Thanks

Ammy
  • 41
  • 3
2

I had the same problem and this gave me a clue as to what was wrong: How can I prevent SQL injection in PHP? like Quentin said already. There is a setting, probably a PHP setting that isn't allowing large amounts of text to be inserted without preparing sql statements.

I changed the way I was doing INSERTS and UPDATES to the ways mentioned in the link above and here : http://php.net/manual/en/mysqli-stmt.bind-param.php

Community
  • 1
  • 1
Nibb
  • 1,801
  • 1
  • 13
  • 19
  • It is too long ago to be sure this is the solution, but if my memory serves me correctly, I didn't have this understanding of databases. – Goose Sep 04 '15 at 20:31