0

I have a shopping cart and I want to send the purchase to my database. I am completely sure that the form part works fine, however the page where the purchase needs to be inserted into the database is wrong. However, I don't really know what's wrong and why it's giving me just a blank page (addorder.php, the processing page) while it's supposed to give me an error message on the previous page. This is the code for addorder.php:

<?php

class PurchaseOrder
{
    private $db_connection = null;

    public $errors = array();

    public $messages = array();

    public function __construct()
    {
        if (isset($_POST["purchase"])) {
            $this->addOrder();
        }
    }

    private function addOrder()
    {
        if (empty($_POST['order_firstname'])) {
            $this->errors[] = "Please fill in your first name.";
        } elseif (empty($_POST['order_lastname'])) {
            $this->errors[] = "Please fill in your last name."; 
        } elseif (empty($_POST['order_phone'])) {
            $this->errors[] = "Please fill in your phone number.";  
        } elseif (empty($_POST['order_address'])) {
            $this->errors[] = "Please fill in your address.";
        } elseif (empty($_POST['order_city'])) {
            $this->errors[] = "Please fill in your city.";  
        } elseif (empty($_POST['order_postalcode'])) {
            $this->errors[] = "Please fill in your postal code.";
        } elseif (empty($_POST['order_deliverydate'])) {
            $this->errors[] = "Please fill in a delivery date you like.";               
        } elseif (empty($_POST['order_country'])) {
            $this->errors[] = "Please choose your country.";

            $this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);

            if (!$this->db_connection->set_charset("utf8")) {
                $this->errors[] = $this->db_connection->error;
            }

            if (!$this->db_connection->connect_errno) {

                $lastorder= "SELECT orderNumber FROM orders ORDER BY orderNumber DESC LIMIT 1";
                $lastordernumber=mysql_query($lastorder);

                while ($row=mysql_fetch_array($lastordernumber)) {
                    $lastnumber = $row['orderNumber'];
                }

                $order_firstname = $_POST['order_firstname'];
                $order_lastname = $_POST['order_lastname'];
                $order_phone = $_POST['order_phone'];
                $order_address = $_POST['order_address'];
                $order_city = $_POST['order_city'];
                $order_postalcode = $_POST['order_postalcode'];
                $order_deliverydate = $_POST['order_deliverydate'];
                $order_country = $_POST['order_country'];
                $order_date = date("Y-m-d");

                $customernumber = $_SESSION['CustomerNumber'];

                    $sql = "INSERT INTO orders (orderNumber, orderDate, requiredDate, shippedDate, status, comments, customerNumber) VALUES('" . $lastnumber . "', '" . $order_date . "', null, null, null, null, '" . $customernumber . "');";

                    $query_new_order = $this->db_connection->query($sql);

                    if ($query_new_order) {
                        $this->messages[] = "Your profile has been updated succesfully!";
                    } else {
                        $this->errors[] = "Sorry, your registration failed. Please go back and try again.";
                    }
            } else {
                $this->errors[] = "Sorry, no database connection.";
            }
        } else {
            $this->errors[] = "An unknown error occurred.";
        }
    }
}

And this is a picture of the 'orders' table in my database: enter image description here

Can you guys help me out, I debugged the code and there are no syntax errors. What can it be? I am pretty confused now...

EDIT: This is how messages and errors are displayed on the sendviaparcel.php page, which is also the page with the form on it:

<?php
if (isset($purchaseOrder)) {
    if ($purchaseOrder->errors) {
        foreach ($purchaseOrder->errors as $error) {
            echo '<div class="well"><h4><i class="fa fa-exclamation-triangle fa-3"></i> '.$error.'</h4></div>';
        }
    }
    if ($purchaseOrder->messages) {
        foreach ($purchaseOrder->messages as $message) {
            echo '<div class="well"><h4><i class="fa fa-check fa-3"></i> '.$message.'</h4></div>';
        }
    }
}
  
 require("includes/connection.php");
 
?>

And this is the form on sendviaparcel.php:

<form method="post" action="addorder.php" name="orderform">
  <table class="table table-striped">
                        <---THIS IS MY TABLE CONTENT---/>
  </table>
 <a href="index.php" class="btn btn-login">Cancel <i class="fa fa-times fa-2"></i></a>
 <button type="submit" class="btn btn-login btn-signin" name="purchase">Confirm purchase <i class="fa fa-check fa-2"></i></button>
</div>
</form>

I have already turned on error reporting, but it returns nothing.

Jesper Provoost
  • 67
  • 1
  • 9
  • Are you actually initializing the class and calling your methods? It looks like you're checking things on a blank $purchaseOrder – Bryan Zwicker May 19 '15 at 20:30
  • This isn't the issue, however don't you want the database connection/query to be outside of the `elseif (empty($_POST['order_country'])) {` block? Seems to me the query will only attempt to execute if order_country IS empty. – Devin H. May 19 '15 at 20:34
  • 1
    **WARNING**: This is terrifyingly insecure because those parameters are not [properly escaped](http://bobby-tables.com/php). You should **NEVER** put `$_POST` data directly into the query: it creates a gigantic [SQL injection bug](http://bobby-tables.com/). `mysql_query` is an obsolete interface and should not be used, it's being removed from PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. – tadman May 19 '15 at 20:35

0 Answers0