MySQL Syntax Error at long entered text

Question

I am trying to build a PHP Form with MySQL. The problem is that I get an error every time if I try to add some long Text into the field.

The error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near.....at line 1

The PHP code generating the query is this:

<?php

if ( $_GET['aktion'] == "speichern" )
{
    $title          = $_GET['title'];
    $description    = $_GET['description'];
    $applepart      = $_GET['applepart'];
    $partnumber     = $_GET['partnumber'];
    $productcode    = $_GET['productcode'];
    $compatibility  = $_GET['compatibility'];
    $url_bild       = $_GET['url_bild'];
    $price          = $_GET['price'];

    $sql  = "INSERT INTO adressbuch ";
    $sql .= " SET ";
    $sql .= " title         = '$title', ";
    $sql .= " description   = '$description', ";
    $sql .= " applepart     = '$applepart', ";
    $sql .= " partnumber    = '$partnumber', ";
    $sql .= " productcode   = '$productcode', ";
    $sql .= " compatibility = '$compatibility', ";
    $sql .= " url_bild      = '$url_bild', ";
    $sql .= " price         = '$price' ";

    require_once ('konfiguration.php');
    $db_erg = mysql_query($sql)
        or die("Anfrage fehlgeschlagen: " . mysql_error());

    echo '<h1>Adresse wurde speichert</h1>';
    echo '<a href="auflistung.php">Auflistung anzeigen</a>';
    exit;
}
?>

<form name="" action="" method="GET" enctype="text/html">
<p>Title:<br />
<input type="text" name="title" value="" size="60" />
</p>
<p>description:<br />
<input type="text" name="description" value="" size="60" />
</p>
<p>applepart:<br />
<input type="text" name="applepart" value="" size="60" />
</p>
<p>partnumber:<br />
<input type="text" name="partnumber" value="" size="60" />
</p>
<p>productcode:<br />
<input type="text" name="productcode" value="" size="60" />
</p>
<p>compatibility:<br />
<input type="text" name="compatibility" value="" size="60" />
</p>
<p>Bild:<br />
<input type="text" name="url_bild" value="" size="60" />
</p>
<p>price:<br />
<input type="text" name="price" value="" size="60" />
</p>

<input type="hidden" name="aktion" value="speichern" />

<input type="Submit" name="" value="speichern" />
</form>

Thanks for your help

Answer 1

Your code is susceptible to SQL injection, and your problem is only a hint as to why.

The rule we always use is: "Never trust data from the user-agent" (ie consider anything in $_GET or $_POST as potentially problematic or worse). At a minimum, we should always escape these values using mysqli_real_escape_string or else a more robust DB framework.

Answer 2

Your problem is that when you have long enough input, it has a single quote in it somewhere, or a newline. You can't simply concatenate user input like this and expect it to work. Worse, you are wide-open for SQL injection attacks. Find the right way to use your framework to build SQL queries.

Answer 3

Regardless of the SQL injection vulnerability, it seems like you are sending a query which is too long for MySQL to handle.

You can try to overcome this by changing some configuration: try and raise the parameter "max_allowed_packet" in your MySQL's configuration file. For example:

[mysqld]
max_allowed_packet = 64M

This will set it to 64MB, which means the longest single query you will be allowed to issue is 64MB, and the longest single row you will be able to retriever from a query is 64MB in size.

Answer 4

<?php
      require_once ('konfiguration.php');

      if(isset($_POST['title']))
      {
        $title = mysql_real_escape_string(htmlspecialchars($_POST['title']));
        $description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
        $applepart = mysql_real_escape_string(htmlspecialchars($_POST['applepart']));
        $partnumber = mysql_real_escape_string(htmlspecialchars($_POST['partnumber']));
        $productcode = mysql_real_escape_string(htmlspecialchars($_POST['productcode']));
        $compatibility = mysql_real_escape_string(htmlspecialchars($_POST['compatibility']));
        $url_bild = mysql_real_escape_string(htmlspecialchars($_POST['url_bild']));
        $price = mysql_real_escape_string(htmlspecialchars($_POST['price']));
        $insert = mysql_query("INSERT INTO `adressbuch` (`title`,`description`,`applepart`,`partnumber`,`productcode`,`compatibility`,`url_bild`,`price`) VALUES ('$title','$description','$applepart','$partnumber','$productcode','$compatibility','$url_bild','$price')");
        if (!$insert)
        {
          die('Eintrag konnte nicht gespeichert werden: ' . mysql_error());
        }
      }

    ?>

    <form method="POST" action="?page= ">
      <span>Neuer G&auml;stebucheintrag verfassen:</span> <br />
      <span>Title</span><input type="text" name="title" /> <br />
      <span>Description</span><textarea cols="16" rows="5"  name="description"></textarea> <br />
      <span>Apple Part</span><input type="text" name="applepart" /> <br />
      <span>Part Number</span><input type="text" name="partnumber" /> <br />
      <span>Product Code</span><input type="text" name="productcode" /> <br />
      <span>Compatibility</span><input type="text" name="compatibility" /> <br />
      <span>Image</span><input type="text" name="url_bild" /> <br />
      <span>Price</span><input type="text" name="price" /> <br />
      <input type="submit" value="Speichern"/> <br />
    </form>