Home » Php » Can't insert data into database with PHP using a query

Can't insert data into database with PHP using a query

Posted by: admin October 26, 2017 Leave a comment

Questions:

Everything works up until the query for inserting the data into the database. I’ve tried using only one variable to insert into the database and I still can’t get the query to run correctly. It may just be a simple typo that I’m missing but I can’t seem to find it.

HTML select page

<!DOCTYPE html>
<html>
<head>
	<title></title>
	<style>
		* {
			margin: 0;
			padding: 0;
		}

		#container {
			margin: 15px auto;
			width: 700px;
			border: 1px solid #cccccc;
			border-radius: 3px;
		}

		.title-container {
			padding: 20px;
		}

		.title {
			font-size: 28px;
			margin: 20px;
		}

		.price {
			color: red;
		}

		img {
			width: 100%;
			height: auto;
			margin: 0;
			padding: 0;
		}

		#submit {
			width: 100%;
			text-align: center;
			background-color: red;
			color: white;
			padding: 15px;
			border: 0;
			margin-bottom: 20px;
			font-size: 20px;
		}
	</style>
</head>
<body>
	<div id="container">
		<form action="checkout.php" method="post">
			<div class="product">
				<div class="title-container">
					<input type="radio" name="game" value="Assassin's Creed II"><span class="title">Assassin's Creed II - <span class="price">$15.99</span><br />
				</div>
				<img src="assassin2.png">
			</div>
			<div class="product">
				<div class="title-container">
					<input type="radio" name="game" value="Assassin's Creed Brotherhood"><span class="title">Assassin's Creed Brotherhood - <span class="price">$19.99</span><br />
				</div>
				<img src="brotherhood.jpg">
			</div>
			<div class="product">
				<div class="title-container">
					<input type="radio" name="game" value="Assassin's Creed Revelations"><span class="title">Assassin's Creed Revelations - <span class="price">$24.99</span><br />
				</div>
				<img src="revelations.jpg">
			</div>
			<h4>Enter quantity: <input type="number" size="2" name="qty"></h4>
			<input type="submit" value="Checkout" id="submit">
		</form>
	</div>
</body>
</html>
Answers:

Try to escape strings:

<?php
        session_start();
        $con = new mysqli('localhost', 'root', 'root', 'purchases');
        if (!$con) {
            echo "Not connected to database";
        } else {
            $game = mysqli_real_escape_string($con,$_SESSION['sale_game']);
            $qty = mysqli_real_escape_string($con,$_SESSION['sale_qty']);
            $price = mysqli_real_escape_string($con,$_SESSION['sale_price']);
            $subtotal = mysqli_real_escape_string($con,$_SESSION['sale_subtotal']);
            $fName = mysqli_real_escape_string($con,$_POST['fName']);
            $lName = mysqli_real_escape_string($con,$_POST['lName']);
            $address = mysqli_real_escape_string($con,$_POST['address']);
            $city = mysqli_real_escape_string($con,$_POST['city']);
            $state = mysqli_real_escape_string($con,$_POST['state']);
            $zip = mysqli_real_escape_string($con,$_POST['zip']);
            $email = mysqli_real_escape_string($con,$_POST['email']);
            $query = "INSERT INTO orders (Game, Price, Quantity, Total, fName, lName, Address, City, State, Zip, Email) VALUES ('$game', '$price', '$qty', '$subtotal', '$fName', '$lName', '$address', '$city', '$state', '$zip', '$email')";
            if ($con->query($query) === TRUE) {
                echo "Inserted";
            } else {
                echo "Not Inserted";
            }
        }
    ?>

Questions:
Answers:

you should use prepared statement and placeholders

$con = new mysqli('localhost', 'root', 'root', 'purchases');
    if (!$con) {
        echo "Not connected to database";
    } else {
        $query = "INSERT INTO orders (Game, Price, Quantity, Total, fName, lName, Address, City, State, Zip, Email) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
$stmt = $con->prepare($query);
$stmt->bind_param("s", $game);
$stmt->bind_param("d", $price);
$stmt->bind_param("i", $qty);
$stmt->bind_param("d", $subtotal);
$stmt->bind_param("s", $fName);
$stmt->bind_param("s", $lName);
$stmt->bind_param("s", $address);
$stmt->bind_param("s", $state);
$stmt->bind_param("s", $zip);
$stmt->bind_param("s", $email);


        if ($stmt->execute() === TRUE) {
            echo "Inserted";
        } else {
            echo "Not Inserted";
        }
    }