12

I'm storing JSON data in a MySQL table using the code below. It works fine if the JSON is short but breaks for longer text. The "field_json" is a LONGTEXT.

$sql = sprintf("UPDATE mytable 
    SET field_json = '$json_string'
    WHERE id = $userid");
$result = mysql_query($sql);

The error I'm getting is:

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'G '","username":"C0WB0Y","lastName":"","id":31874363},{"pathToPhoto":"22960/phot' at line 2

Improve this question
3
  • 3
    Please, please, please consider using prepared statements. Well, only if you prefer your site un-hacked ... Commented Jan 24, 2012 at 16:57
  • 3
    Just as a side node, if you are storing JSON in a mysql table, maybe you should consider using a database that is better suited to store such data like CouchDB, MongoDB, etc Commented Jan 24, 2012 at 17:03
  • good point. This is just for an import job where I want to save the json in case I have to process it again Commented Jan 24, 2012 at 22:18

4 Answers 4

Reset to default
21

Use place holders otherwise you are susceptible to SQL injection: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Otherwise, here's a quick fix: http://php.net/manual/en/function.mysql-real-escape-string.php

$sql = sprintf(
        "UPDATE mytable SET field_json = '%s' WHERE id = '%s'",
        mysql_real_escape_string($json_string),
        mysql_real_escape_string($userid)
);
$result = mysql_query($sql);

EDIT

Please use PDO ( http://www.php.net/manual/en/book.pdo.php ). The mysql extension has been deprecated as of 5.5

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

SQL Injection possible with $userid. You can use (int) $userid instead of mysql_real_escape_string.
The question doesn't specify the data type for the id field, but in systems i've worked on, the user id is a uuid, not an int.
4

Escape the JSON string: 

$json_string = mysql_real_escape_string( $json_string);

$sql = sprintf("UPDATE mytable 
    SET field_json = '$json_string'
    WHERE id = $userid");
$result = mysql_query($sql);
Improve this answer

4 Comments

in your example, $userid could cause an SQL injection.
It could, but not only do we not know where $userid is coming from, it's also not the source of the OPs problem.
While not OP problem, the provided example silently leaves a potential security problem.
thanks. Good points about the security. It's an import job so security isn't an issue .
3

You need to escape the quotes in your JSON string - otherwise they terminate the SQL-Query resulting in the exception you got.

Improve this answer

Comments

2

try this

    $json_string = mysql_real_escape_string( $json_string );
    $sql = sprintf("UPDATE mytable 
    SET field_json = '$json_string'
    WHERE id = $userid");
    $result = mysql_query($sql);
Improve this answer

1 Comment

SQL Injection possible with $userid

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.