i have table article
1. id_arc int (11) auto increament
2. judul varchar (225)
3. isi text
4. date datetime
--ect

i already create a script to input data and run well
but if i try to input more than 2 paragraf this script doesn't work..
what happen?

i use AJAX, PHP and JQuery..
is it take effect to my script?
bdw i use innodb..
and this is my script

$judul=($_POST['judularticle']);
$id_sub=$_POST['id_subarticle'];
$isi=($_POST['isiarticle']);
    $ye=mysqli_query($con,"select * from article_sub where id_subarticle='$id_sub'");
    while($b=mysqli_fetch_array($ye)){
        $kategori=$b[id_katarticle];
            $judul_seo      = seo_title($judul);
            mysqli_query($con,"insert into article_news(id_katarticle,
                                id_subarticle,
                                id_userarticle,
                                judul,
                                isi,
                                counter,
                                status,
                                date)
                        values( '$kategori',
                                '$id_sub',
                                '$_SESSION[id_user]',
                                '$judul',
                                '$judul_seo',
                                '$isi',
                                '0',
                                'aktif',
                                '$tgl')
                    ");

    }

Maybe the varchar (225) kicks in here. Does the article that you are submitting not exceed the field's maximum storage size (225)?

If it contains single quotes, it can also fail your query.

minitauros : i have already change judul varchar (225) => judul varchar (200) but problem still exist
pritaeas : so what should i change on my script?

Member Avatar for diafol

I'm assuming that it's your 'isi' field. The 'text' type should be sufficient as it allows 2^16 bytes. Even allowing for multibyte characters, a 7 character average word length, you'd be left with more than enough for two to three reasonable paragraphs.

I'm assuming that as Pritaeas states that it is due to unescaped single quotes. Unless you add an 'or die(mysql_error())' or/and print the sql query to the screen we're only guessing.

after i try to look for the problem
i see that it couse of a single quote in my input data.
if i input data with double quote data could insert well.
but if there is single quote inside data, data could not inserted.

So? how can i make input data with single quote inside data??
what should i change on my script below?

    $judul=($_POST['judularticle']);
    $id_sub=$_POST['id_subarticle'];
    $isi=($_POST['isiarticle']);
    $ye=mysqli_query($con,"select * from article_sub where id_subarticle='$id_sub'");
    while($b=mysqli_fetch_array($ye)){
    $kategori=$b[id_katarticle];
    $judul_seo = seo_title($judul);
    mysqli_query($con,"insert into article_news(id_katarticle,
    id_subarticle,
    id_userarticle,
    judul,
    isi,
    counter,
    status,
    date)
    values( '$kategori',
    '$id_sub',
    '$_SESSION[id_user]',
    '$judul',
    '$judul_seo',
    '$isi',
    '0',
    'aktif',
    '$tgl')
    ");
    }

You could use mysql_real_escape_string() to escape all necessary characters within stuff you insert, I guess. E.g.

INSERT ... VALUES (mysql_real_escape_string($your_value), mysql_real_escape_string($your_value_2)) etc.

okey thanks alot all... now my script work well by using mysql_real_escape_string()
but i see the problem that mysql_real_escape_string() must be deprecate?
so what should i change?
i try mysqli_real_escape_string() but not work..

Member Avatar for diafol

You should bind parameters not use escape strings for mysqli.

Example from the manual:

$stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
mysqli_stmt_execute($stmt);

Note the 'sssd' relates to (s)tring and (d)ouble number. You can also use (i)nteger and (b)lob

okey thanks alot !
bdw can you tell me a basic tutorials, where i can change mysql to be mysqli ??
couse i see a problem several problem when i use mysqli.
i already open PHP.net but i confuse which script sould i change?/ and where i sould begin change my script
i want to change all of my script to be mysqli statement.? becouse i see that mysql would be deprecate in PHP 5

then i ask one thing again..
could i combine mysql_real_escape_string() with htmlspecialchars() ?

ugh my problem appear again !!
i try to input data with quote and double quote, and it run well
but when i copy paste text from other html page (with its style) to my text editor, it only input 1 line of text text ..

do you have any idea to solve this??
i already use mysql_real_escape_string()

Member Avatar for diafol

Why are you using mysql_* ? You're using mysqli_* functions aren't you?

Anyway, I think you'll find that using prepared queries and binding parameters is the way to go.

yes i try to use mysqli on my sqcrip but it i havent change all (couse i still little bit confuse of binding mysqli)

but ? is it effecting my input text??
and do you have a script to filter symbol (ascii) in input text?

Member Avatar for diafol

and do you have a script to filter symbol (ascii) in input text?

The whole point is you don't need to with prepared statements. An example has already been given to you. I don't know what more to suggest. If you insist on cleaning input, then you may as well use the deprecated mysql_* functions and take your chances.

okey i will bnding it to mysqli_* first

    $stmt = mysqli_prepare($con,"insert into news(title,
                                content,
                                status,
                                date)
                        values( '$title',
                                '$content',
                                'active',
                                '$tgl')");
    mysqli_stmt_bind_param($stmt, 'ssss', $code, $language, $official, $percent);
    $code = 'title';
    $language = 'Content Bavarian';
    $official = "active";
    $percent = date("Y-m-d H:i:s");
    /* execute prepared statement */
    mysqli_stmt_execute($stmt);

am I right?

am I right?

No. You replied to my code snippet. You can see there that you should use ? instead of the quoted variables above.

Member Avatar for diafol

As pritaeas points out:

$stmt = mysqli_prepare($con,"insert into news(title,
                            content,
                            status,
                            date)
                    values( ?,
                            ?,
                            ?,
                            ?)");
mysqli_stmt_bind_param($stmt, 'ssss', $title, $content, $active, $tgl);

$title = 'title';
$content = 'Content Bavarian';
$active = "active";
$tgl = date("Y-m-d H:i:s");

/* execute prepared statement */
mysqli_stmt_execute($stmt);
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.