0

I've checked my code compared with code elsewhere on my site and I can't see any inconsistencies, but for some reason the records are entering my database with blank data, here is my code.

<?php

include '../includes/connect.php';
include '../header.php';

echo '<h2>Create a Sub category</h2>';
if($_SESSION['signed_in'] == false | $_SESSION['user_level'] != 1 )
{
//the user is not an admin
echo 'Sorry, you do not have sufficient rights to access this page.';
}
else
{
//the user has admin rights
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
    //the form hasn't been posted yet, display it
    echo '<form method="post" action="">
        Category name: ';
        $sql = "SELECT cat_id, cat_name, cat_description FROM categories";
        $result = mysql_query($sql);
    echo '<select name="topic_cat">';
                while($row = mysql_fetch_assoc($result))
                {
                    echo '<option value="' . $row['cat_id'] . '">' . $row['cat_name'] . '</option>';
                }
            echo '</select><br />';


    echo 'Sub category name: <input type="text" name="sub_cat_name" /><br />
        Sub category description:<br /> <textarea name="sub_desc" /></textarea><br /><br />
        <input type="submit" value="Add Sub Category" />
     </form>';
}
else
{

    //the form has been posted, so save it
    $sql = "INSERT INTO subcategories(c_id, sub_cat_name, sub_desc)
       VALUES('" . $_POST['categories.cat_id'] . "', '" . $_POST['sub_cat_name'] . "', '" . $_POST['sub_desc'] . "')";
    $result = mysql_query($sql) or die (mysql_error());
            echo 'The sub category <b>' . $row['sub_cat_name'] . '</b> has been added under the main category <b>' . $row['cat_name'] . '</b>';
    if(!$result)
    {
        //something went wrong, display the error
        echo 'Error' . mysql_error();

    }
}
}
; ?>

My categories table is structured like so..

  • cat_id
  • cat_desc

My subcategories table is structured like so..

  • id(AI)
  • c_id
  • sub_cat_name
  • sub_desc

If I haven't provided enough information please let me know.

user2542256
  • 138
  • 7
  • Welcome to StackOverflow. **[Please, don't use the mysql_* functions for new code.](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php)** They are no longer maintained and are officially deprecated. See the **[red box](http://php.net/manual/en/function.mysql-connect.php)**? You can use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) instead - [this page](http://php.net/manual/en/mysqlinfo.api.choosing.php) can help you decide which to use. – jcsanyi Jul 05 '13 at 02:55
  • 2
    I don't see where the variables in your insert statement ($cat_id, $sub_cat_name, $sub_desc) are being set from the POST data. – bitfiddler Jul 05 '13 at 02:56
  • Not only is your code using the deprecated `mysql_*` functions, but you're extremely vulnerable to sql injection attacks by just including the variables directly into your query without any sort of escaping. – jcsanyi Jul 05 '13 at 02:56
  • Please tell me the other pages on your site aren't depending on the `register_globals` config to automatically put any POST values into variables. – jcsanyi Jul 05 '13 at 02:57
  • instead of `"INSERT INTO subcategories(c_id, sub_cat_name, sub_desc) VALUES('" . $cat_id . "', '" . $sub_cat_name . "', '" . $sub_desc . "')";` you can use `"INSERT INTO subcategories(c_id, sub_cat_name, sub_desc) VALUES('$cat_id', '$sub_cat_name', '$sub_desc')";` . This makes code more readable. – bansi Jul 05 '13 at 03:02
  • thanks for your concern JCSANYI but the page I am working on is admin only, meaning only I can input from this page, so I'm not worried about me hacking myself. – user2542256 Jul 05 '13 at 04:21

3 Answers3

1

You don't appear to be reading the $POST variables into the variables you're using in your query. You probably want something like this:

$sub_cat_name = mysql_real_escape_string($_POST['sub_cat_name']);
// repeat for other variables.
0

It seems to me that $cat_id $sub_cat_name and $sub_desc are not defined anywhere.

Also, you're missing a pipe here:

if($_SESSION['signed_in'] == false || $_SESSION['user_level'] != 1 )
// --------------------------------^

Lastly, I should note that the mysql_* functions are deprecated. You should really be using mysqli or PDO.

SeanWM
  • 16,789
  • 7
  • 51
  • 83
0
if($_SESSION['signed_in'] == false || $_SESSION['user_level'] != 1 )
------------------------------------^ (OR)

I also don't see where you set the variables. ('" . $cat_id . "' and etc...)

You should store them into a variable like so:

$cat_id = mysql_real_escape_string($_POST['name_of_the_input']); //and etc..

Or in your insert query do this: (Depending on the values whether or not you need to escape it like above)

'".$_POST['name_of_input']."',
Chris78
  • 422
  • 2
  • 5
  • 15
  • I tried the .$_POST. suggestion, it's entering all the fields except for the category ID from the category table into the sub-category table. $sql = "INSERT INTO subcategories(c_id, sub_cat_name, sub_desc) VALUES('" . $_POST['cat_id'] . "', '" . $_POST['sub_cat_name'] . "', '" . $_POST['sub_desc'] . "')"; $result = mysql_query($sql) or die (mysql_error()); – user2542256 Jul 05 '13 at 04:03
  • Change this `echo '';` to this: echo "`";` If that doesn't fix it try storing the id in a variable and then do this. '$catId = $row['cat_id']; $catName = $row['cat_name']; ";` I think your main problem is that cat id is not in the value in your form. – Chris78 Jul 05 '13 at 04:32
  • Not working for me :( somehow I am not selecting the information from the categories table to insert into the sub categories table it seems, I can add to the sub categories table, but it doesn't relay the cat_id into the c_id in sub categories table. – user2542256 Jul 05 '13 at 04:54
  • When you look at the html the cat_id is not in the value? – Chris78 Jul 05 '13 at 05:27
  • I just editing my open post to update the code changes, that is the entire file, it's putting all of the sub_category fields in except for the c_id being inserted from the cat_id from the categories table. – user2542256 Jul 05 '13 at 05:36