tags:

views:

75

answers:

2
Q: 

INSERT - PHP & SQL Server

I don't know what is going on, but it just doesn't want to work.

I keep getting this error when I submit my form:

Array ( [0] => Array ( [0] => 22001 [SQLSTATE] => 22001 [1] => 8152 [code] => 8152 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. ) [1] => Array ( [0] => 01000 [SQLSTATE] => 01000 [1] => 3621 [code] => 3621 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. ) )

Here's the PHP Code:

    <?php
$who = $_REQUEST["who"];
$what = $_REQUEST["what"];

$serverName = "xxx";   
$uid = "xxx";     
$pwd = "xxx";    
$databaseName = "xxx";   

$connectionInfo = array( "UID"=>$uid,                              
                         "PWD"=>$pwd,                              
                         "Database"=>$databaseName);   

/* Connect using SQL Server Authentication. */    
$conn = sqlsrv_connect( $serverName, $connectionInfo);    

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";   

/* Execute the query. */    

$stmt = sqlsrv_query( $conn, $tsql);    

if ( $stmt )    
{    
     $something = "Submission successful.";
}     
else     
{    
     $something = "Submission unsuccessful.";
     die( print_r( sqlsrv_errors(), true));    
}
    $output=$something;
/* Free statement and connection resources. */    
sqlsrv_free_stmt( $stmt);    
sqlsrv_close( $conn);
?>

And here's the HTML Form:

<form action="startvoting.php" method="post" id="myform">
          <ol>
            <li>
              <label for="name">Nickname</label>
              <input id="who" name="who" class="text" />
            </li>
            <li>
              <label for="message">What <strong>you</strong> Want</label>
              <textarea id="what" name="what"></textarea>
            </li>
            <li class="buttons">
              <input type="image" src="images/send.gif" class="send" />
              <div class="clr"></div>
            </li>
          </ol>
        </form>

Can someone please help me? I don't know what to do!

Thank you

UPDATE

Here is the definitions:

TABLE_QUALIFIER TABLE_OWNER TABLE_NAME  COLUMN_NAME DATA_TYPE   TYPE_NAME   PRECISION   LENGTH  SCALE   RADIX   NULLABLE    REMARKS COLUMN_DEF  SQL_DATA_TYPE   SQL_DATETIME_SUB    CHAR_OCTET_LENGTH   ORDINAL_POSITION    IS_NULLABLE SS_DATA_TYPE
DB_11967_suggestions    dbo Suggestions Who 12  varchar 1   1           1           12      1   1   YES 39
DB_11967_suggestions    dbo Suggestions What    12  varchar 1   1           1           12      1   2   YES 39
DB_11967_suggestions    dbo Suggestions Votes   4   int 10  4   0   10  1           4           3   YES 38

Sorry it's not properly formatted.

+1  A: 

I think you have an error in columns(fields) types , try insert just one character , then the submission successfully , try expand fields type .. , i.e. increase char num ...etc

shox  2010-08-17 01:42:18
Wow! It works with just 1 char! Thanks shox! Now to try and increase char number
lucifer  2010-08-17 01:51:07
You are a legend lol! Thank you so very much!!!!!! :D
lucifer  2010-08-17 01:53:39
You are welcome :) ..
shox  2010-08-17 01:58:25
+2  A: 

The error occurs when you input a text field with more than one character. The error message “String or binary data would be truncated” would imply that you have created a table whose text columns are limited to one character. That would happen if your CREATE statement said they were CHAR as opposed to CHAR(somenumber) or NVARCHAR(somenumber).

However, you've a bigger problem:

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";

You've forgotten to SQL-escape those text strings. If they contain the ' character your query breaks, and any attacker can execute arbitrary SQL by injecting it into the query. Pretty soon your database ends up defaced with malware links, or worse.

Bizarrely, the sqlsrv drivers don't seem to give you a proper escaping function, but then just replacing ' with '' should be enough for SQL Server. However, you're much better off avoiding the issue by using parameterised queries:

sqlsrv_query(
    $conn,
    'INSERT INTO Suggestions (Who, What, Votes) VALUES (?, ?, 10)',
    array($who,  $what)
);
bobince  2010-08-17 01:48:01
But thank you lots for the code+advice, you really dumbed it down for me so I could understand it. I'm only new to php so it's much appreciated. :)
lucifer  2010-08-17 02:26:30

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases