0

I have been making a customised wedding gift registry for a wedding website that I have been building and for a while it seemed to work fine but now it seems to be not working and I'm not sure why...

The way the gift registry works is as follows:

  • It uses a dynamic table which is updated based on a mysql database; and,
  • a html form in which the user enters "gift choices" and using php the form updates the mysql database so that the gift's status becomes unavailable (and this is reflected in the table)

    • The code initially would update the dynamic table and refresh the page so the user could see that the gift that they had selected was now "taken"(the refresh is important because otherwise the table contents would not be updated). Now what is happening is that the form entries do not seem to be being entered into the database when the user fills out the form and clicks submit.

    The code for this is a complete hack and I have never used php, sql, or javascript before this (I had dabbled a little in html) so naturally I think I am a little lost..

    So does anybody know where I've gone wrong?

    I would appreciate any help that anyone could give.

    The code is as follows:

    The following builds the dynamic table

    <?php
echo"<thead>
<tr>
<th>Gift</th>  
<th>Price</th>
<th>Where to buy</th> 
<th>Availability</>
</tr>
</thead>";

$dbc = mysqli_connect('localhost','XXXXX','XXXXX','XXXXX_giftregistry') or die('Error connecting to MYSQL server.');
        $results = mysqli_query($dbc,"SELECT gift_name, price, where_to_buy, status FROM gift_reg");

        while($row = mysqli_fetch_array($results)) {
        ?>
            <tr>
                <td><?php echo $row['gift_name']?></td>
                <td><?php echo $row['price']?></td>
                <td><?php echo $row['where_to_buy']?></td>
                <td><?php echo $row['status']?></td>
            </tr>

        <?php
        }
        ?>

        </table>

    The next part is the form submission code

    <?php
$person_gifting = $_POST['name'];
$status = $_POST['status'];
$gift_name = $_POST['gift_name'];

if ($_POST['submit']) {
$dbc = mysqli_connect('localhost','XXXXXX','XXXXXX','XXXXX_giftregistry') or die('Error connecting to MYSQL server.');
mysqli_query($dbc,"UPDATE gift_reg SET person_gifting = '$person_gifting' WHERE gift_name = '$gift_name'") or die ('Error querying database.');
mysqli_query($dbc,"UPDATE gift_reg SET status = '$status' WHERE gift_name = '$gift_name'") or die ('Error querying database.');
mysqli_close($dbc);
echo "<script> formSubmit()</script>";
}

    The next section is the form.

    echo "<form method='post' action='index.php'><label>Name</label><input name='name' placeholder='Type Here' required><label>What gift would you like to give?</label>";


 $dbc = mysqli_connect('localhost','XXXXX','XXXXX','XXXXX_giftregistry') or     die('Error connecting to MYSQL server.');
$query="SELECT gift_name FROM gift_reg WHERE status='Available'";
$result = mysqli_query ($dbc,$query);
echo "<select name='gift_name'>";

while($nt=mysqli_fetch_array($result)){
echo "<option value=$nt[gift_name]>$nt[gift_name]</option>";
}

echo "</select>"; 
mysqli_close($dbc);
?>


<label>Have you already purchased this gift?</label>
<input name='status' type="radio" value="Taken" id="r1" required>  
<label for="r1"><span></span> Already purchased </label>
    <input name='status' type="radio" value="Taken" id="r2" required>
    <label for="r2"><span></span> Going to purchase </label>

<input id="submit" name="submit" type="submit" value="Submit">


</form>

    The formSubmit() refers to:

    <script>
function formSubmit() {
window.location.reload();
}
</script>
    1212__Hello
    • 545
    • 1
    • 6
    • 13
    • It seems to me that you're reloading the page rather than submitting the form – STT LCU Aug 02 '13 at 13:34
    • 1
      Not what you're asking about, but [your SQL code is extremely vulnerable](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). – bfavaretto Aug 02 '13 at 13:43
    • I probably missed something but what "is now not working"? Is there some error message? Wrong or no data inserted? Server crash? Something else? – Sylvain Leroux Aug 02 '13 at 14:26
    • Please before you write **any** more SQL interfacing code, read up on the proper use of [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add data to your queries. What you've done here has created a gigantic [SQL injection bug](http://bobby-tables.com/) because you haven't [properly escaped your data](http://bobby-tables.com/php). Admitting you don't know what you're doing is okay. The next step is to learn how to do it correctly. – tadman Aug 02 '13 at 14:45
    • Sorry, should be more clear. Refer to updated post. – 1212__Hello Aug 02 '13 at 14:48
    • I guess this is what happens when you blindly write code, thank you for your input tadman and bfavaretto. I will fix that vulnerability up. – 1212__Hello Aug 02 '13 at 14:58

    1 Answers1

    0

    Try changing 

    while($nt=mysqli_fetch_array($result)){
    echo "<option value=$nt[gift_name]>$nt[gift_name]</option>";
}

    to 

    while($nt=mysqli_fetch_array($result)){
    echo "<option value=\"{$nt['gift_name']}\">{$nt['gift_name']}</option>";
}

    The reason this works is:

    a) referencing an array element as $nt[giftname] is different from $nt['giftname'], the first looks for an array element with a key equal to the value of a constant called 'giftname', where as the latter is looking for an array element with a key of 'giftname'.

    b) depending on which Doc type your working with you should use value="value" rather than value=value

    JohnnyFaldo
    • 4,121
    • 4
    • 19
    • 29