Inserting a statement requiring minimum number of characters

Question

Here I have a code which inserts data into db. It's working fine now, but I want the title to have a minimum of 4 characters and the body a minimum of 500.

Here is my code:

<?php
if(isset($_POST['submit'])) {
  //get blog data
$title=strip_tags($_POST['title']);
$body=strip_tags($_POST['body']);
$posted_by = $first_name;
$category=$_POST['category'];
$bio = $bio;
$userid=$_COOKIE['user'];
$date = date ('d-M-Y');
if ($title && $body && $category) {
$query = "INSERT INTO blogs (userid, title, body, posted_by, bio, category_id, posted) VALUES ('$userid', '$title', '$body', '$posted_by','$bio', '$category', '$date')";
 $run = mysqli_query($con,$query);
 if($query) {
    echo "posted";
  }
  else {
    echo "error";
  }
  }else {
    echo "data missing";
  }
  }
  ?>

I tried the code below to put minimum requirements for the title and body, but it echoes the title error message whenever you submit data even when the title contains more than 5 characters.

  <?php
  if(isset($_POST['submit'])) {
   //get blog data
   $title=strip_tags($_POST['title']);
   $body=strip_tags($_POST['body']);
   $posted_by = $first_name;
   $category=$_POST['category'];
   $bio = $bio;
   $userid=$_COOKIE['user'];
   $date = date ('d-M-Y');
   if (strlen($title<5)) {
   echo "Title must be of minimum 5 characters";
   }
   else {
   if (strlen($body<500)) {
    echo "Title must be of minimum 500 characters";
    }
    else {
    $query = "INSERT INTO blogs (userid, title, body, posted_by, bio, category_id, posted) VALUES ('$userid', '$title', '$body', '$posted_by','$bio', '$category', '$date')";
    $run = mysqli_query($con,$query);
    if($query) {
    echo "posted";
    }
    else {
     echo "error";
    }
    }
    }
    }
   ?>

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Sep 25 '15 at 12:01

score 3 · Accepted Answer · edited May 23 '17 at 11:52

3

A question as such deserves an explanation for future readers to the question.

The reason why your code is failing, is that:

if (strlen($title<5))

evaluates to:

function($string conditional)

when the syntax is:

function($string) conditional

The manual states:

int strlen ( string $string )

http://php.net/manual/en/function.strlen.php

Example pulled from the manual:

if (strlen($foo) === 0) echo 'Null length is Zero <br>';

Plus, as stated in comments. Your query is subject to an SQL injection. It's best to use a prepared statement.

Consult the following links:

edited May 23 '17 at 11:52

Community

1
1

answered Sep 25 '15 at 12:20

Funk Forty Niner

74,450
15
68
141

Is mysqli_real_escape_string efficient in preventing such attacks? Is their any option other than prepared statements. Read documents but they are too technical so can you recommend me easiest way to prevent injections . I thought migrating from mysql to mysqli would be enough ;) – Sep 26 '15 at 03:39
1

@Harman Have a read at this article on Stack http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string - It's rather long, but worth reading. You can use `mysqli_real_escape_string()` to a certain extent. – Funk Forty Niner Sep 26 '15 at 11:52

score 2 · Answer 2 · answered Sep 25 '15 at 11:08

2

I think the issue lies with the conditions you used.

if (strlen($title<5))

should be

if (strlen($title)<5)

similarly

if (strlen($body<500))

to be

if (strlen($body)<500)

answered Sep 25 '15 at 11:08

Ashish Choudhary

2,004
1
18
26

score 0 · Answer 3 · answered Sep 25 '15 at 11:07

Try this:

 <?php
if(isset($_POST['submit'])) {
 //get blog data
   $title=strip_tags($_POST['title']);
   $body=strip_tags($_POST['body']);
   $posted_by = $first_name;
   $category=$_POST['category'];
   $bio = $bio;
   $userid=$_COOKIE['user'];
   $date = date ('d-M-Y');
   if (strlen($title) < 5) {
     echo "Title must be of minimum 5 characters";
   }else {
    if (strlen($body) <500 ) {
      echo "Body must be of minimum 500 characters";
     }else {
       $query = "INSERT INTO blogs (userid, title, body, posted_by, bio, category_id, posted) VALUES ('$userid', '$title', '$body', '$posted_by','$bio', '$category', '$date')";
       $run = mysqli_query($con,$query);
      if($query) {
        echo "posted";
      }else {
        echo "error";
      }
    }
   }
  }
 ?>

Why should the OP "try this"? A good answer will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO. — Jay Blanchard, Sep 25 '15 at 11:59

Inserting a statement requiring minimum number of characters

3 Answers3