INSERT - PHP & SQL Server

2019-08-28 21:08发布

站内问答 / PHP
1677 2 2

I don't know what is going on, but it just doesn't want to work.

I keep getting this error when I submit my form:

Array ( [0] => Array ( [0] => 22001 [SQLSTATE] => 22001 [1] => 8152 [code] => 8152 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]String or binary data would be truncated. ) [1] => Array ( [0] => 01000 [SQLSTATE] => 01000 [1] => 3621 [code] => 3621 [2] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. [message] => [Microsoft][SQL Server Native Client 10.0][SQL Server]The statement has been terminated. ) )

Here's the PHP Code:

    <?php
$who = $_REQUEST["who"];
$what = $_REQUEST["what"];

$serverName = "xxx";   
$uid = "xxx";     
$pwd = "xxx";    
$databaseName = "xxx";   

$connectionInfo = array( "UID"=>$uid,                              
                         "PWD"=>$pwd,                              
                         "Database"=>$databaseName);   

/* Connect using SQL Server Authentication. */    
$conn = sqlsrv_connect( $serverName, $connectionInfo);    

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";   

/* Execute the query. */    

$stmt = sqlsrv_query( $conn, $tsql);    

if ( $stmt )    
{    
     $something = "Submission successful.";
}     
else     
{    
     $something = "Submission unsuccessful.";
     die( print_r( sqlsrv_errors(), true));    
}
    $output=$something;
/* Free statement and connection resources. */    
sqlsrv_free_stmt( $stmt);    
sqlsrv_close( $conn);
?>

And here's the HTML Form:

<form action="startvoting.php" method="post" id="myform">
          <ol>
            <li>
              <label for="name">Nickname</label>
              <input id="who" name="who" class="text" />
            </li>
            <li>
              <label for="message">What <strong>you</strong> Want</label>
              <textarea id="what" name="what"></textarea>
            </li>
            <li class="buttons">
              <input type="image" src="images/send.gif" class="send" />
              <div class="clr"></div>
            </li>
          </ol>
        </form>

Can someone please help me? I don't know what to do!

Thank you

UPDATE

Here is the definitions:

TABLE_QUALIFIER TABLE_OWNER TABLE_NAME  COLUMN_NAME DATA_TYPE   TYPE_NAME   PRECISION   LENGTH  SCALE   RADIX   NULLABLE    REMARKS COLUMN_DEF  SQL_DATA_TYPE   SQL_DATETIME_SUB    CHAR_OCTET_LENGTH   ORDINAL_POSITION    IS_NULLABLE SS_DATA_TYPE
DB_11967_suggestions    dbo Suggestions Who 12  varchar 1   1           1           12      1   1   YES 39
DB_11967_suggestions    dbo Suggestions What    12  varchar 1   1           1           12      1   2   YES 39
DB_11967_suggestions    dbo Suggestions Votes   4   int 10  4   0   10  1           4           3   YES 38

Sorry it's not properly formatted.

2条回答
霸刀☆藐视天下
2楼-- · 2019-08-28 21:50

The error occurs when you input a text field with more than one character. The error message “String or binary data would be truncated” would imply that you have created a table whose text columns are limited to one character. That would happen if your CREATE statement said they were CHAR as opposed to CHAR(somenumber) or NVARCHAR(somenumber).

However, you've a bigger problem:

$tsql = "insert into Suggestions (Who, What, Votes) values ('$who','$what','10')";

You've forgotten to SQL-escape those text strings. If they contain the ' character your query breaks, and any attacker can execute arbitrary SQL by injecting it into the query. Pretty soon your database ends up defaced with malware links, or worse.

Bizarrely, the sqlsrv drivers don't seem to give you a proper escaping function, but then just replacing ' with '' should be enough for SQL Server. However, you're much better off avoiding the issue by using parameterised queries:

sqlsrv_query(
    $conn,
    'INSERT INTO Suggestions (Who, What, Votes) VALUES (?, ?, 10)',
    array($who,  $what)
);
查看更多
0人赞 添加讨论(0) 举报
Root(大扎)
3楼-- · 2019-08-28 21:55

I think you have an error in columns(fields) types , try insert just one character , then the submission successfully , try expand fields type .. , i.e. increase char num ...etc

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(2)