插入-PHP和SQL Server

Question

I don't know what is going on, but it just doesn't want to work.

I keep getting this error when I submit my form:

Array ( [0] => Array ( [0] => 22001 [SQLSTATE] => 22001 [1] => 8152 [code] => 8152 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. ) [1] => Array ( [0] => 01000 [SQLSTATE] => 01000 [1] => 3621 [code] => 3621 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. ) )

Here's the PHP Code:

    <?php
$who = $_REQUEST["who"];
$what = $_REQUEST["what"];

$serverName = "xxx";   
$uid = "xxx";     
$pwd = "xxx";    
$databaseName = "xxx";   

$connectionInfo = array( "UID"=>$uid,                              
                         "PWD"=>$pwd,                              
                         "Database"=>$databaseName);   

/* Connect using SQL Server Authentication. */    
$conn = sqlsrv_connect( $serverName, $connectionInfo);    

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";   

/* Execute the query. */    

$stmt = sqlsrv_query( $conn, $tsql);    

if ( $stmt )    
{    
     $something = "Submission successful.";
}     
else     
{    
     $something = "Submission unsuccessful.";
     die( print_r( sqlsrv_errors(), true));    
}
    $output=$something;
/* Free statement and connection resources. */    
sqlsrv_free_stmt( $stmt);    
sqlsrv_close( $conn);
?>

And here's the HTML Form:

<form action="startvoting.php" method="post" id="myform">
          <ol>
            <li>
              <label for="name">Nickname</label>
              <input id="who" name="who" class="text" />
            </li>
            <li>
              <label for="message">What <strong>you</strong> Want</label>
              <textarea id="what" name="what"></textarea>
            </li>
            <li class="buttons">
              <input type="image" src="images/send.gif" class="send" />
              <div class="clr"></div>
            </li>
          </ol>
        </form>

Can someone please help me? I don't know what to do!

Thank you

Here is the definitions:

TABLE_QUALIFIER TABLE_OWNER TABLE_NAME  COLUMN_NAME DATA_TYPE   TYPE_NAME   PRECISION   LENGTH  SCALE   RADIX   NULLABLE    REMARKS COLUMN_DEF  SQL_DATA_TYPE   SQL_DATETIME_SUB    CHAR_OCTET_LENGTH   ORDINAL_POSITION    IS_NULLABLE SS_DATA_TYPE
DB_11967_suggestions    dbo Suggestions Who 12  varchar 1   1           1           12      1   1   YES 39
DB_11967_suggestions    dbo Suggestions What    12  varchar 1   1           1           12      1   2   YES 39
DB_11967_suggestions    dbo Suggestions Votes   4   int 10  4   0   10  1           4           3   YES 38

Sorry it's not properly formatted.

Answer 1

The error occurs when you input a text field with more than one character. The error message “String or binary data would be truncated” would imply that you have created a table whose text columns are limited to one character. That would happen if your CREATE statement said they were CHAR as opposed to CHAR(somenumber) or NVARCHAR(somenumber) .

However, you've a bigger problem:

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";   

You've forgotten to SQL-escape those text strings. If they contain the ' character your query breaks, and any attacker can execute arbitrary SQL by injecting it into the query. Pretty soon your database ends up defaced with malware links, or worse.

Bizarrely, the sqlsrv drivers don't seem to give you a proper escaping function, but then just replacing ' with '' should be enough for SQL Server. However, you're much better off avoiding the issue by using parameterised queries :

sqlsrv_query(
    $conn,
    'INSERT INTO Suggestions (Who, What, Votes) VALUES (?, ?, 10)',
    array($who,  $what)
);

Answer 2

我认为您在column（fields）类型中有错误，尝试仅插入一个字符，然后提交成功，尝试扩展字段类型..即增加char num ... etc