1

I have a PHP form which is supposed to add a book to a table of books in a SQLite database. The form submits, however a book is not added to my database.

<?php
session_start();

require("books.php");
require("layout.php");

$db=sqlite_open ("products.db", 0666, $error);

echo $header;
echo "<p>
        <a href='./index.php'>Bookshop</a></p>";
echo "<h1> Add Books </h1>
<p>
<form action='' method='get' id='AddBook'>
  Author: <input type='text' name='Author'><br>
  Title: <input type='text' name='Title'><br>
  Brief_Synopsis: <input type='text' name='Synopsis'><br>
  ISBN_Number: <input type='text' name='ISBN'><br>
  Publisher: <input type='text' name='Publisher'><br>
  imgNumber (save img with this name under /img/): <input type='text' name='imgNum'><br>
  Price: <input type='text' name='Price'><br>
  Category 1: <input type='text' name='Cat1'><br>
  Category 2: <input type='text' name='Cat2'><br>
  <input type='submit' value='Submit' name='Submit'>
</form>
</p>";


if(isset($_POST['Submit'])){
        $author = $_POST['Author'];
$title = $_POST['Title'];
$Synopsis = $_POST['Synopsis'];
$ISBN = $_POST['ISBN'];
$Publisher = $_POST['Publisher'];
$imgNum = $_POST['imgNum'];
$Price = $_POST['Price'];
$Cat1 = $_POST['Cat1'];
$Cat2 = $_POST['Cat2'];
sqlite_query($db,"INSERT INTO Books (Author, Title, Brief_Synopsis, ISBN_Number, Publisher, imgNumber, price, cat1, cat2) VALUES ('$_POST[Author]', '$_POST[Title]', '$_POST[Synopsis]', '$_POST[ISBN]', '$_POST[Publisher]', '$_POST[imgNum]', '$_POST[Price]', '$_POST[Cat1]', '$_POST[Cat2]')"); 
    echo("Book Added!");
$dbh = null;
}
?>

Why is this code not updating my database correctly? Before I added the if statement it added an empty book to the database every time the page loaded, however now it submits and resets the form, my URL looks correct but the database does not get an item added to it.

SilentUK
  • 151
  • 3
  • 13
  • Try to print the INSERT query before `sqlite_query` - does it show anything? – user4035 Mar 17 '15 at 20:57
  • The code is [*not correctly using placeholders*](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – user2864740 Mar 17 '15 at 21:01
  • 1
    Your code is failing *silently*, because you're using a GET method in your form, whereas you're using POST arrays. Shall I `post` that as an answer? *Pardon the pun* ;-) – Funk Forty Niner Mar 17 '15 at 21:08
  • Im not really concerned about sql injection because this is a project that will never be connected to the internet only hosted on a local machine. – SilentUK Mar 17 '15 at 21:09
  • 1
    You're welcome. I posted an answer below that you can accept to close 'er up. – Funk Forty Niner Mar 17 '15 at 21:11

3 Answers3

3

Your code is failing silently, because you're using a GET method in your form, whereas you're using POST arrays.

  • Change the form's method to POST.

I also need to point out that your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
1

The if statement is checking if submit exists and is not null. You cannot check the input type submit, there is no associated value. You can add a hidden input and check it:

<input type="hidden" name="checkSubmit" value="Submitted">

if(isset($_POST['checksubmit']))

Kirk Powell
  • 908
  • 9
  • 14
  • This still does not work. It submits, my URL updates to `http://localhost:8800/addBooks.php?Author=test&Title=test&Synopsis=test&ISBN=23232&Publisher=test&imgNum=23&Price=45.99&Cat1=test&Cat2=test&checkSubmit=Submitted&Submit=Submit` but when i check the database nothing has been added. – SilentUK Mar 17 '15 at 21:07
0

I also noticed that the sql injection is looking at $_POST['myvariable'] making the previous checks for variable redundant at best.

Kirk Powell
  • 908
  • 9
  • 14