-2

This is my promotion.php

<form action="postingPromotionUpdate.php" method="post" enctype="multipart/form-data">
Promo Title: <input type="text" name="promotionTitle"/><br/>
Promo Remark: <textarea name="promotionText" cols="100" rows="10" </textarea><br/>
<input type="submit" value="Update"/>
</form>

This is my postPromotion.php

    include 'connect.php';
    $promotionTitle=$_POST['promotionTitle'];
    $promotionText=$_POST['promotionText'];
mysql_query("update promotion set promotionTitle = '$promotionTitle', promotionText = '$promotionText' where indexNum = 1");
    echo "<script>alert('Update Successful!');</script>";

If I post short text, no problem. When I post a very long text, can't to post and save it.

urfusion
  • 5,528
  • 5
  • 50
  • 87
Ricky
  • 50
  • 9
  • if you are not able to fetch data on `postPromotion.php`. then check your `php.ini` for `post_max_size` – urfusion Mar 16 '16 at 13:09
  • 1
    check the column's length. – Funk Forty Niner Mar 16 '16 at 13:10
  • You also need to remove / replace single quotes ' in fields before sending it to SQL. – Peter K Mar 16 '16 at 13:10
  • 1
    @PeterK are you talking about this? `promotionTitle = '$promotionTitle', promotionText = '$promotionText'` to remove the quotes? If so, nope. That is false information you're giving. Those are string literals. – Funk Forty Niner Mar 16 '16 at 13:12
  • 3
    This is also not being closed –  Mar 16 '16 at 13:13
  • @WesMurray ah, good catch. If that's their *real* code ;-) – Funk Forty Niner Mar 16 '16 at 13:14
  • What does "can't to post and save it" mean? How *specifically* does it fail? – David Mar 16 '16 at 13:15
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Mar 16 '16 at 13:20
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 16 '16 at 13:21
  • Look at what @Fred-ii- said [in the second comment](http://stackoverflow.com/questions/36036611/cant-post-a-long-text-to-my-php#comment59722232_36036611). Your column width is too small. *Bulls-eye Ralph!* – Jay Blanchard Mar 16 '16 at 13:22
  • I think they've mostly turned a ***blind** eye* to it there Sam - @JayBlanchard who knows. could be a mix of 2-3 things. Let them see the answer below. I am off to the *Running of the bulls*. - ciao for now mi amico. – Funk Forty Niner Mar 16 '16 at 13:25
  • @Fred-ii- I was talking about sanitizing input against SQL injection, but I see my approach was outdated long ago ) – Peter K Mar 16 '16 at 13:25
  • @PeterK I might also have misinterpreted your comment. In a way, if the OP is introducing any character that MySQL may be complaining about, then that would have shown up in `mysql_error()`, something they're not using. – Funk Forty Niner Mar 16 '16 at 13:27

1 Answers1

0

Maybe That's because of two reasons 1.Your character type in mysql maybe short (like varchar[100]) use 'longtext' as character type 2.you don't use mysql_real_escape_string.If single quotes comes in your text query breakes. Use this function to recover that.

function clean($str)
{
$str = @trim($str);
if(get_magic_quotes_gpc()) {$str = stripslashes($str);  }
return mysql_real_escape_string($str);
}
$promotionTitle=clean($_POST['promotionTitle']);
$promotionText=clean($_POST['promotionText']);
Sanooj T
  • 1,317
  • 1
  • 14
  • 25
  • No, no, no, no, no! Please do not recommend old, deprecated technologies. The OP should learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 16 '16 at 13:23
  • He asked about his code so i just told him,anyway thanks – Sanooj T Mar 17 '16 at 04:39
  • I think using PDO is better than mysqli,maybe in future mysqli also deprecate – Sanooj T Mar 17 '16 at 04:50