0

I have 2 tables inside of my database and 2 forms on my website. 1 form works and sends information over to its table in the database while the other form doesn't although I have used the exact same method for both.

Here is my code, please help me find out why information isn't being send over to its table in the database.

NOTE: I have a login system and when I send this form over I'm currently logged in.

The form

<form action = "order.php" method = "post">

            <b>Warranty:</b> </br> 
            <select name="warranty">
            <option value="0" class="registerFields">No Warranty</option>
            <option value="1" class="registerFields">1 Year</option>
            <option value="2" class="registerFields">2 Years</option>
            </select> </br>

            <b>Delivery:</b> </br> 
            <select name="delivery">
            <option value="first" class="registerFields">1st Class</option>
            <option value="second" class="registerFields">2nd Class</option>
            <option value="recorded" class="registerFields">Recorded & Signed</option>
            </select> </br>

            <b>Price:</b> </br> 
            <select name="price">
            <option value="price" class="registerFields">£159</option>
            </select> </br>

        <input type="submit" value="Complete Order" class="registerSubmit" />
        </form>

The order.php page which sends the form information over to the database

<?php
//create the connection between the form and the server
include('connectFileProject.php'); //file that connects website to server & database

//insert form information into the database
$sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
$result = mysql_query($sql);  //perform the action

    if($result){
        echo "Congratulations, your order is now live.";
    }
    else{
        echo "There was an error";
    }

?>

<html>
<body>

<br />
<br />

<a href="kaahh.php">Go back</a>

</body>
</html>

The order table has the following fields:

ID
username
warranty
delivery
price

NOTE 2: Since I'm already logged in, I assume that my username will be picked up sent over to the db however this is important. I just want the warranty, delivery and price fields to be sent over.

As I've mentioned earlier, I have another form which uses the exact same method and works completely fine. This what bugs me as I can't understand why 1 form would work while the other doesn't.

Thanks for any help.

Edited by ibn_sumal

7
Contributors
11
Replies
88
Views
4 Years
Discussion Span
Last Post by ibn_sumal
Featured Replies
  • 1

    It might be me, but are you missing your $_POST data? `$warranty = $_POST['warranty'];` Read More

  • 1

    As AHarrisGsy says you did not assign values from $_POST to variables you use in your query. So check for the existence of each of $_POST element, escape the values and assign them to variables. If any of the $_POST elements is missing then display an error message. if(isset($_POST['warranty']) && … Read More

  • In your form your price field does not contain an actual numeric - only the string "price" Your sql is not sure whether it is an insert (INSERT) or an update (SET) You need to add validation Here is some untested code to try and help you along. You will … Read More

  • You need to include the link to your db in there as well. Example: mysqli_real_escape_string($dbconn, $_POST['price']); http://php.net/manual/en/mysqli.real-escape-string.php Read More

  • 2

    In my example I used [mysqli](http://www.php.net/manual/en/book.mysqli.php) extension but you are using [mysql](http://www.php.net/manual/en/book.mysql.php) exstension (see the query on line 19 of your code). You should actually use only one exstension in your script. I strongly suggest you switch to mysqli which is newer and has more features. Mysql exstension is old … Read More

1

It might be me, but are you missing your $_POST data?

$warranty = $_POST['warranty'];

Edited by Octet

1

As AHarrisGsy says you did not assign values from $_POST to variables you use in your query. So check for the existence of each of $_POST element, escape the values and assign them to variables. If any of the $_POST elements is missing then display an error message.

if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username form somewhere (i.e. session)
    $username = $_SESSION['username'] // I am guessing this
    ...
    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";

Edited by broj1

1

It's also not a very good idea to use mysql_query etc in new projects, as it is deprecated. You should use MySQLi.

2

In your form your price field does not contain an actual numeric - only the string "price"
Your sql is not sure whether it is an insert (INSERT) or an update (SET)
You need to add validation

Here is some untested code to try and help you along. You will probably have to change $_SESSION['username'] to whatever a logged in username variable looks like.

$sql = sprintf("
    INSERT INTO order (
        username, warranty, delivery, price
    ) values (
        '%s', '%s', '%s', %.2f
    )
    ",
    mysql_real_escape_string($_SESSION['username']),
    mysql_real_escape_string($_POST['warranty']),
    mysql_real_escape_string($_POST['delivery']),
    mysql_real_escape_string($_POST['price'])
);
Votes + Comments
True
1

oh my oh my, your code 6.$sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
echo that line so you can see why.
at a first glance you mistaken or should I say forgot to initialize the values of the variables $username, $warranty, $delivery and $price.

since you did not initialize the value of the variable then it is set to default as null or whitespace or ''(empty string)

0

Ok guys, my order.php file now looks like this

<?php
//create the connection between the form and the server
include('connectFileProject.php');

    if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username from session
    $username = $_SESSION['username']; 

    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
    $result = mysql_query($sql);  //perform the action

?>
<html>
<body>

<br />
<br />

<a href="kaahh.php">Go back</a>

</body>
</html>

The previous issue seems to have been resolved however I now get the following error.

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/a6126152/public_html/kaah/order.php on line 8

Here is the link if you wish to test it yourselves: Click Here

Your assistance is greatly appreciated.

Edited by ibn_sumal

1

All the things I said before are still relevant.

Here is some more untested "test" code.

<?php
//create the connection between the form and the server
include('connectFileProject.php');

//test vars
$username = 'paulkd';
$_POST['warranty'] = '1';
$_POST['delivery'] = 'second';
$_POST['price'] = '10';

$sql = sprintf("
    INSERT INTO order (
        username, warranty, delivery, price
    ) values (
        '%s', '%s', '%s', %.2f
    )
    ",
    mysql_real_escape_string($username),
    mysql_real_escape_string($_POST['warranty']),
    mysql_real_escape_string($_POST['delivery']),
    mysql_real_escape_string($_POST['price'])
);
$result = mysql_query($sql);  //perform the action
?>
<html>
    <head><title>Test</head>
    <body>
        <p>Did a record get inserted?</p>
    </body>
</html>

I think you are also misunderstanding what constitutes a value in your Price field, and possibly the other fields also.

2

In my example I used mysqli extension but you are using mysql exstension (see the query on line 19 of your code). You should actually use only one exstension in your script. I strongly suggest you switch to mysqli which is newer and has more features. Mysql exstension is old and has been deprecated in newest versions of PHP. So if you have reasons stay with mysql and change the escape statements to:

// escape the values and assign them to variables
$warranty = mysql_real_escape_string($_POST['warranty']);
$delivery = mysql_real_escape_string($_POST['delivery']);
$price = mysql_real_escape_string($_POST['price']);

and the error won't appear anymore. When you have chance switch to mysqli extension. And sory for the confusion I might have caused :-)

Edited by broj1

Votes + Comments
he mixed 2 api scripts ( the one who asked it )
1

@broj1 No worries. I haven't made the move yet.

ibn sumal's SQL is still incorrect.

From the docs...
Procedural style: string mysqli_real_escape_string ( mysqli $link , string $escapestr )
presumably the cause of the warning.

0

Guys I've sorted out the issue by simply deleting the form, order.php file and table and redoing them. I still haven't figured out what the problem was however it now works perfectly and all the information is sent over to the respective table.

Once again I'd like to thank you fellas for your assistance which was greatly appreciated.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.