-2

I have retrieved certain data from database and placed them in a variable i.e.,

$pid=$_SESSION['data'][$i]['productid'];
$q=$_SESSION['data'][$i]['qty'];
$pname=get_product_name($pid);
$price = get_price($pid);
$list.=$list."productid:". $pid."\n".",productname:".$pname.",\nquantity".$q."\n price:".$price.";";

The variable data is of the form: 

$items=productid:1 ,productname:aaa, quantity1 price:100;productid:2 ,productname:ccc, quantity2 price:120;

now i need to send this data to another page and store that variable into a another table of same database. What i have done is i passes that variable using the url:

<a href="prdbilling.php?list=<?php echo $list?>"/>Place Order</a>

and in product billing page i need to add this variable along with other data into a table: Mycode for inserting data into database is:

$insertquery=mysql_query("insert into customers(name,email,address,phone,orderlist) values('{$_POST['name']}','{$_POST['email']}','{$_POST['address']}','{$_POST['phone']}','$list')");

but it is not working can any one give suggestions. thanks in advance.

zkanoca
  • 9,664
  • 9
  • 50
  • 94
user2083041
  • 513
  • 1
  • 8
  • 32
  • I'd start by dumping `mysql_*` functions. Checkout `mysqli`. Then make sure to prepare your queries and bind the parameters. More info here http://php.net/manual/en/mysqli.prepare.php – elclanrs Aug 13 '13 at 07:33
  • 2
    ah, and this is how little bobby tables is born. Please PLEASE, validate user entry ( eg. santisize your user input from POST and escape it before putting it into the database). For your problem: mysql_error() after your mysql_query() holds the info why it did not work ( the mysql_query() == false if it did not work ).. and I just wait for someone saying "you should use PDO/mysqli ... because" – Najzero Aug 13 '13 at 07:33
  • 1
    Why is it, that EVERY time a question seems to involve some kind of `mysql_`-method, the very first comment is : "_Do not use mysql_", "_use PDO_", "_use mysqli_" ? People are not asking about their deprecated mysql, which is not is a crime to use by the way - they are asking about everything else. In this case, user2083041 obviously struggles with som old **osCommerce** (or a variant) - ridicolous to begin discussing `mysql_` in that context. – davidkonrad Aug 13 '13 at 07:41
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Álvaro González Aug 13 '13 at 07:42

3 Answers3

0

If your are storing the data in table1 on page1, then just pass the table name and id of the inserted record and do a INSERT SELECT in MySQL on page2. Why bother passing all that data when you don't need to?

Revent
  • 2,091
  • 2
  • 18
  • 33
0
mysql_query("insert into customers(name,email,address,phone,orderlist) values('{$_POST['name']}','{$_POST['email']}','{$_POST['address']}','{$_POST['phone']}','$list')");

should be

mysql_query("insert into customers(name,email,address,phone,orderlist) values('".mysql_real_escape_string($_POST['name'])."','".mysql_real_escape_string($_POST['email'])."','".mysql_real_escape_string($_POST['address'])."','".mysql_real_escape_string($_POST['phone'])."','".mysql_real_escape_string($list)."')");
Goutam Pal
  • 1,763
  • 1
  • 10
  • 14
0

You don't write your parameters as it should be :

$url = "YOUR_URL?" . "parameter1_name=" . $parameter1_value . "&parameter2_name=" . $parameter2_value . "&parameter3_name=" . $parameter3_value ;

Then, you get your parameters with $_GET (or $_REQUEST) and not $_POST. You don't do a POST request but a GET request.

zkanoca
  • 9,664
  • 9
  • 50
  • 94
kmas
  • 6,401
  • 13
  • 40
  • 62
  • I changed my query to "$insertquery=mysql_query("insert into customers(name,email,address,phone,orderlist) values('{$_POST['name']}','{$_POST['email']}','{$_POST['address']}','{$_POST['phone']}','{$_GET['list']}')"); "but it is not working – user2083041 Aug 13 '13 at 07:48