Form doesn't send info over to database

Question

ibn_sumal 0 Newbie Poster

11 Years Ago

I have 2 tables inside of my database and 2 forms on my website. 1 form works and sends information over to its table in the database while the other form doesn't although I have used the exact same method for both.

Here is my code, please help me find out why information isn't being send over to its table in the database.

NOTE: I have a login system and when I send this form over I'm currently logged in.

The form

<form action = "order.php" method = "post">

            <b>Warranty:</b> </br> 
            <select name="warranty">
            <option value="0" class="registerFields">No Warranty</option>
            <option value="1" class="registerFields">1 Year</option>
            <option value="2" class="registerFields">2 Years</option>
            </select> </br>

            <b>Delivery:</b> </br> 
            <select name="delivery">
            <option value="first" class="registerFields">1st Class</option>
            <option value="second" class="registerFields">2nd Class</option>
            <option value="recorded" class="registerFields">Recorded & Signed</option>
            </select> </br>

            <b>Price:</b> </br> 
            <select name="price">
            <option value="price" class="registerFields">£159</option>
            </select> </br>

        <input type="submit" value="Complete Order" class="registerSubmit" />
        </form>

The order.php page which sends the form information over to the database

<?php
//create the connection between the form and the server
include('connectFileProject.php'); //file that connects website to server & database

//insert form information into the database
$sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
$result = mysql_query($sql);  //perform the action

    if($result){
        echo "Congratulations, your order is now live.";
    }
    else{
        echo "There was an error";
    }

?>

<html>
<body>

<br />
<br />

<a href="kaahh.php">Go back</a>

</body>
</html>

The order table has the following fields:

ID
username
warranty
delivery
price

NOTE 2: Since I'm already logged in, I assume that my username will be picked up sent over to the db however this is important. I just want the warranty, delivery and price fields to be sent over.

As I've mentioned earlier, I have another form which uses the exact same method and works completely fine. This what bugs me as I can't understand why 1 form would work while the other doesn't.

Thanks for any help.

php

Edited 11 Years Ago by ibn_sumal

7 Contributors
11 Replies
420 Views
1 Day Discussion Span
Latest Post 11 Years Ago Latest Post by ibn_sumal

paulkd 59 Newbie Poster

11 Years Ago

In your form your price field does not contain an actual numeric - only the string "price"
Your sql is not sure whether it is an insert (INSERT) or an update (SET)
You need to add validation

Here is some untested code to try and help you along. You will probably have to change $_SESSION['username'] to whatever a logged in username variable looks like.

$sql = sprintf("
    INSERT INTO order (
        username, warranty, delivery, price
    ) values (
        '%s', '%s', '%s', %.2f
    )
    ",
    mysql_real_escape_string($_SESSION['username']),
    mysql_real_escape_string($_POST['warranty']),
    mysql_real_escape_string($_POST['delivery']),
    mysql_real_escape_string($_POST['price'])
);

broj1 commented: True +9

pixelsoul 272 Red Pill

11 Years Ago

You need to include the link to your db in there as well.

Example:

mysqli_real_escape_string($dbconn, $_POST['price']);

http://php.net/manual/en/mysqli.real-escape-string.php

Edited 11 Years Ago by pixelsoul

broj1 commented: Thanx, I forgot that +9

broj1 356 Humble servant

11 Years Ago

In my example I used mysqli extension but you are using mysql exstension (see the query on line 19 of your code). You should actually use only one exstension in your script. I strongly suggest you switch to mysqli which is newer and has more features. Mysql exstension is old and has been deprecated in newest versions of PHP. So if you have reasons stay with mysql and change the escape statements to:

// escape the values and assign them to variables
$warranty = mysql_real_escape_string($_POST['warranty']);
$delivery = mysql_real_escape_string($_POST['delivery']);
$price = mysql_real_escape_string($_POST['price']);

and the error won't appear anymore. When you have chance switch to mysqli extension. And sory for the confusion I might have caused :-)

Edited 11 Years Ago by broj1

masterjiraya commented: he mixed 2 api scripts ( the one who asked it ) +4

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Octet 45 Newbie Poster Featured Poster · Answer 1 · 2013-04-16T18:01:48+00:00

It might be me, but are you missing your $_POST data?

$warranty = $_POST['warranty'];

broj1 356 Humble servant Featured Poster · Answer 2 · 2013-04-16T19:10:06+00:00

As AHarrisGsy says you did not assign values from $_POST to variables you use in your query. So check for the existence of each of $_POST element, escape the values and assign them to variables. If any of the $_POST elements is missing then display an error message.

if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username form somewhere (i.e. session)
    $username = $_SESSION['username'] // I am guessing this
    ...
    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";

lukas.vandendijssel 0 Light Poster · Answer 3 · 2013-04-16T19:38:06+00:00

It's also not a very good idea to use mysql_query etc in new projects, as it is deprecated. You should use MySQLi.

masterjiraya -3 Junior Poster · Answer 4 · 2013-04-17T00:31:54+00:00

oh my oh my, your code 6.$sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
echo that line so you can see why.
at a first glance you mistaken or should I say forgot to initialize the values of the variables $username, $warranty, $delivery and $price.

since you did not initialize the value of the variable then it is set to default as null or whitespace or ''(empty string)

ibn_sumal 0 Newbie Poster · Answer 5 · 2013-04-17T15:19:11+00:00

Ok guys, my order.php file now looks like this

<?php
//create the connection between the form and the server
include('connectFileProject.php');

    if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username from session
    $username = $_SESSION['username']; 

    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";
    $result = mysql_query($sql);  //perform the action

?>
<html>
<body>

<br />
<br />

<a href="kaahh.php">Go back</a>

</body>
</html>

The previous issue seems to have been resolved however I now get the following error.

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/a6126152/public_html/kaah/order.php on line 8

Here is the link if you wish to test it yourselves: Click Here

Your assistance is greatly appreciated.

paulkd 59 Newbie Poster · Answer 6 · 2013-04-17T16:29:19+00:00

All the things I said before are still relevant.

Here is some more untested "test" code.

<?php
//create the connection between the form and the server
include('connectFileProject.php');

//test vars
$username = 'paulkd';
$_POST['warranty'] = '1';
$_POST['delivery'] = 'second';
$_POST['price'] = '10';

$sql = sprintf("
    INSERT INTO order (
        username, warranty, delivery, price
    ) values (
        '%s', '%s', '%s', %.2f
    )
    ",
    mysql_real_escape_string($username),
    mysql_real_escape_string($_POST['warranty']),
    mysql_real_escape_string($_POST['delivery']),
    mysql_real_escape_string($_POST['price'])
);
$result = mysql_query($sql);  //perform the action
?>
<html>
    <head><title>Test</head>
    <body>
        <p>Did a record get inserted?</p>
    </body>
</html>

I think you are also misunderstanding what constitutes a value in your Price field, and possibly the other fields also.

paulkd 59 Newbie Poster · Answer 7 · 2013-04-17T21:59:30+00:00

@broj1 No worries. I haven't made the move yet.

ibn sumal's SQL is still incorrect.

From the docs...
Procedural style: string mysqli_real_escape_string ( mysqli $link , string $escapestr )
presumably the cause of the warning.

ibn_sumal 0 Newbie Poster · Answer 8 · 2013-04-18T17:00:07+00:00

Guys I've sorted out the issue by simply deleting the form, order.php file and table and redoing them. I still haven't figured out what the problem was however it now works perfectly and all the information is sent over to the respective table.

Once again I'd like to thank you fellas for your assistance which was greatly appreciated.