String Containing double quotes is inserted incomplete in DB

2
votes

Updated The textarea i have provided in the form takes the user input as strings

String Containing double quotes is inserted incomplete in DB..

I have a string inserted in text area as

"Don't worry too much about layout/design/text size, we will often "spice up" (i.e. bold, italic, spacing) your banner for a better overall look.

And when i inserted the string into DB the string get end at

Don't worry too much about layout/design/text size, we will often

and is inserted partially.. What should i do to allow all the single and double quotes to be inserted?

EDIT ON REQUEST

Below Is the query I am using to insert in the database using php

"insert into products_description (products_id, products_name, products_logo_name1, products_logo_name2, products_logo_name3, products_description) values ('" . (int)$products_id . "', 'banner_" . $products_id . "','".$_POST['logoimage1']."', '".$_POST['logoimage2']."', '".$_POST['logoimage3']."', '".mysql_real_escape_string($_POST['description'])."')"

Here mysql_real_escape_string($_POST['description']) is not escaping double quotes and hence truncates in insertion what should be done?

5
phpescapingdouble-quotes
actually it's not an SQL query, but a PHP code, the very stub of it - Your Common Sense
Note that you don't escape logoimages, while you should, as well as any other string being added into query. - Your Common Sense
Can you provide the schema of the database table? Perhaps the column isn't long enough to store all of the description... - ircmaxell
I have given "text" type to its column in DB - OM The Eternity
Nope, mysql_real_escape_string does escape quotes and no truncating possible. - Your Common Sense

5 Answers

5
votes

Escape the doublequotes inside the string, like so:

$theString = "Hello, i wonder what all these \"quotes\" are doing in here...";

The backslash will tell the compiler to ignore the "meaning" of the folowing doublequote, and treat it like a normal character (This is what we call "Escaping").

Also check out mysql_real_escape_string() when working with user input (This will automatically escape all dangerous elements in strings for use in a mySQL Database).

3
votes

LOL
haven't read whole question but I am sure I know the answer

it's being inserted into database all right, then retrieved all right, and then goes into HTML form's field value... ;-)

Well, seriously.
You have to follow your data step by step.
There is some evil code in your application, that makes some evil things.
You have to follow your data flow and check at what stage it gets spoiled
Just print your data out at these steps:

  • after receiving form data
  • before inserting into database
  • after retrieving from database
  • before printing back into form

That's your general fault: you take multi-stage process as a single step.
You watch your string being inserted into textarea and next time you see it in this textarea truncated. And you think it's database issue. While you cannot be so sure - there are many steps where database isn't involved. Watch your app as not a solid block but as multiple stage process.

0
votes

Use the function mysql_real_escape_string() if it's coming from user input.

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

0
votes

As per @COL Sharpnel's Scouldings :-)

Thanks Agauin for making me scould myself.. sometimes its necessary

i echoed the $_POST['description'] and this displayed as

Don't worry too much about layout/design/text size, we will often

and when i used

htmlspecialchars(stripslashes($_POST['description']))

It gave me complete string

"Don't worry too much about layout/design/text size, we will often "spice up" (i.e. bold, italic, spacing) your banner for a better overall look.

> MORAL OF POST: DONT GET OVER CONFIDENT ON SPAGHETTI CODE

0
votes

You need to escape your quotes.

If your DB is MySQL, pass all your data through the mysql_real_escape_string() function before saving them to the DB.

If you don't do this, you risk major security holes in your code, not just data going missing!

(in case you aren't doing it already, you should also be escaping other data for other purposes as well; eg data being sent back to the browser should be escaped to prevent rogue users adding raw HTML or Javascript code to it to manipulate your site.

There are a number of functions in PHP to deal with adding and removing escape characters and data filtering. If you want your site to be secure, you need to learn these functions and techniques.

[edit]

After seeing your edit:

Firstly, you need to escape all the strings in your query, not just the description, so add escaping to $_POST['logoimage1'], etc, as you'll have the same problems if any of those contain quotes.

However the escaping on the description field looks correct so I don't know why it would be truncated. The man page for mysql_real_escape_string() states that it escapes double and single quotes, so it should be okay for you. You can test this by print()ing the fully escaped SQL string; this will show if there's anything left unescaped.

Shot in the dark - have you checked the maximum length of your description field in the database? That could also cause string truncation.. unlikely though; I imagine if you're inputting with a textarea you'll have set it up to be long enough.