views:

340

answers:

4

I'm trying to store a String which contains HTML in a MySQL database using Longtext data type. But it always says "You have an error in your SQL syntax". I tried to store a normal String and it works.

Update:

This is the query:

st.executeUpdate("insert into website(URL,phishing,source_code,active) values('" + URL + "','" + phishingState + "','" + sourceCode + "','" + webSiteState + "');");

I'm using Java.

+1  A: 

You need to escape a string before inserting it into database.

a1ex07
+1  A: 

Difficult to say without seeing the query. Can you post it?

I'm presuming there's some part of the html string that needs escaping, which maybe you missed?

Andy Hume
+2  A: 

Try using mysql_real_escape_string function on the string you want to store. It is the easiest way.

Sinan
+4  A: 

Strings in a SQL query are -usually- surrounded by singlequotes. E.g.

INSERT INTO tbl (html) VALUES ('html');

But if the HTML string itself contains a singlequote as well, it would break the SQL query:

INSERT INTO tbl (html) VALUES ('<form onsubmit="validate('foo', 'bar')">');

You already see it in the syntax highlighter, the SQL value ends right before foo and the SQL interpreter can't understand what comes thereafter. SQL Syntax Error!

But that's not the only, it also puts the doors wide open for SQL injections (examples here).

You'll really need to sanitize the SQL during constructing the SQL query. How to do it depends on the programming language you're using to execute the SQL. If it is for example PHP, you'll need mysql_real_escape_string():

$sql = "INSERT INTO tbl (html) VALUES ('" . mysql_real_escape_string($html) . "')";

An alternative in PHP is using prepared statements, it will handle SQL escaping for you.

If you're using Java (JDBC), then you need PreparedStatement:

String sql = "INSERT INTO tbl (html) VALUES (?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, html);

Update: it turns out that you're actually using Java. You'll need to change the code as follows:

String sql = "INSERT INTO website (URL, phishing, source_code, active) VALUES (?, ?, ?, ?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, URL);
preparedStatement.setString(2, phishingState);
preparedStatement.setString(3, sourceCode);
preparedStatement.setString(4, webSiteState);
preparedStatement.executeUpdate();

Don't forget to handle JDBC resources properly. You may find this article useful to get some insights how to do basic JDBC stuff the proper way. Hope this helps.

BalusC
While using prepared statements prevent you from sql injection, do remember to escape the HTML when you pull it out and display it again ! If you do not, you'll be vulnerable to all sort of xss attacks.
nos
@nos: completely right. That's however a story apart. Seeing the coding (variable names) as far, I'd expect it to be used for completely different purposes though :) @jouzef19: if this HTML is coming from *user input* and you are *ever* going to display this in a JSP page or so, then use [`fn:escapeXml()`](http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html) to sanitize it to avoid [XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting) - [examples here](http://ha.ckers.org/xss.html).
BalusC