PHP- SQL not saving long text

Question

I'm having trouble saving long text into a database from a form. The page loads and returns without saving or displaying an error. Short texts are saving. Here's the code:

HTML:

<textarea id="" name="text_01" style="width:80%; height:150px;">
</textarea>

PHP/SQL:

$_POST = filter_var($_POST, \FILTER_CALLBACK, ['options' => 'trim']);
if (isset($_POST['saveCover']) && !empty($_POST)) {
    $data = $_POST;
    if (empty($cover)) {
        error_log("New Text insert. ");
        $sql = "insert into tbl_text (id, text_01) values ($id, '".$data['text_01']."';
    }

SQL(DB):

CREATE TABLE `tbl_text` (
 `id` int(11) NOT NULL,
`text_01` text,
  `created_at` datetime DEFAULT CURRENT_TIMESTAMP
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='Project Cover Pages';

`TEXT` datatype may accept not more than 64kb. If this is not enough then use more wide datatype. *The page loads and returns without saving or displaying an error. Short texts are saving.* Check for warnings. Additionally - check your text to be inserted for the symbols which must be escaped. — Akina, Oct 19 '21 at 06:35
**Warning!** You're open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. — M. Eriksson, Oct 19 '21 at 06:41

Subhashis Pandey · Accepted Answer · 2021-10-19T06:48:24.403

0

Your query is open to injection.

What I can see you have quoted the text using ' (single quote), now imagine if the entered text contains any single quote then it will break your query, long/length of the string is not a problem here. Also you have missed a closing " (double quote)

Use prepared statement, from your code I am not sure what you are using - PDO or mysqli, update your code to use prepared statement accordingly. Here for testing purpose use addslashes() to check if you can save long text.

$sql = "insert into tbl_text (id, text_01) values ($id, '".addslashes($data['text_01'])."'";

edited Oct 19 '21 at 06:48

answered Oct 19 '21 at 06:33

Subhashis Pandey

1,473
1
13
16

2

Please don't post insecure code, even for the OP "to test". Future new developers will see this without properly reading (or understanding) the comment in your answers, introducing insecure practices into their code base. Show how to properly use prepared statements instead. Security should be by design, not an after thought. – M. Eriksson Oct 19 '21 at 06:41
@MagnusEriksson, noticed and mentioned that already, now from the posted code it is not clear whether PDO or mysqli is used, so left that prepared statement section for the user. – Subhashis Pandey Oct 19 '21 at 06:51
1

I know that you did, which is why I said _"Future new developers will see this without properly reading (or understanding) the comment in your answers"_. If you don't have enough information to write a proper answer (with secure code), then you should ask the OP for clarification in a comment. – M. Eriksson Oct 19 '21 at 07:03
Thanks, @SubhashisPandey! Adding .addslashes sorted the issue. @MagnusEriksson security concern noted. I'll rectify. – Henry Omondi Oct 19 '21 at 09:02
Can you please upvote, if that really helped you – Subhashis Pandey Oct 23 '21 at 07:13

PHP- SQL not saving long text

1 Answers1