Dynamic Form to Database

Question

I'm trying to make a log of cars going in and out of a parking lot.

The car info is retrieved from a database and is working fine. The problem I'm having is getting the in/out times to store into the database. In a previous page I had done it so that the form was separate from the table and the input info would be updated but for this page I need to have a dynamic amount of fields varying on the cars in the database. I am not sure what I am doing wrong but here is my code, the data is not being sent or stored in the data base.

<h3>Update Car</h3>
<form action="carLog.php" method="post">
  <fieldset>
    <legend>Car Log</legend>

    <?php //This prints out the car log data

      $sql = "SELECT * FROM carLog";
      $result = $databaseConnection->query($sql);

      echo "<table class='TFtable' border='1' style='width':100%>"; //starts the table tag
      echo "<tr>
              <td>Name</td>
              <td>Vehicle</td>
              <td>Licence Plate</td>
              <td>In</td>
              <td>Out</td>
              <td>In</td>
              <td>Out</td>
              <td>Comments</td>
            </tr>"; //sets headings

      while($row = $result->fetch_assoc()) { //loops for each result

        echo "<tr>
                <td>".$row['name']."</td>
                <td>".$row['vehicle']."</td>
                <td>".$row['plate']. "</td>
                <td><input type='text' size='5' maxlength='5' name='inTime' value='".$row['inTime']."' id='inTime' /></td>
                <td><input type='text' name='outTime' value='".$row['outTime']."' id='outTime' /></td>
                <td><input type='text' name='inTime2' value='".$row['inTime2']."' id='inTime2' /></td>
                <td><input type='text' name='outTime2' value='".$row['outTime2']."' id='outTime2' /></td>
                <td><input type='text' name='comments' value='".$row['comments']."' id='comments' /></td>
              </tr>";

      }
      echo "</table>"; //closes the table
    ?>
    <input type="submit" name="Save" value="Save" />                
  </fieldset>
</form>

The database connection is fine and working. Here is the php that handles the post:

if (isset($_POST['Save'])){
  $name = $_POST['name'];
  $vehicle = $_POST['car'];
  $plate = $_POST['plate'];
  $inTime = $_POST['inTime'];
  $outTime = $_POST['outTime'];
  $inTime2 = $_POST['inTime2'];
  $outTime2 = $_POST['outTime2'];
  $comments = $_POST['comments'];
  $query = "UPDATE carLog SET inTime = '$inTime', outTime = '$outTime', inTime2 = '$inTime2', outTime2 = '$outTime2' WHERE plate = '$plate'";

  $databaseConnection->query($query);

on a side note, my form fields are coming out wayyyy bigger than necessary and adding the size='4' attribute inside the input field isn't helping, ideas? — rafa316, Nov 09 '15 at 23:23
**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Nov 09 '15 at 23:33
Pass them as array. Also pass the unique ID so it can be easily processed in your php file. — Logan Wayne, Nov 10 '15 at 01:16
suggest put a few debug bits in there so you can see what's going on. e.g. is the post data as expected: var_dump($_POST), what does the database say about your query: var_dump the result of the database query. etc until you find what isn't working. — , Nov 10 '15 at 01:30

score 0 · Accepted Answer · edited May 23 '17 at 12:15

Note:

You only have five (5) input fields inside your while() loop, but you are trying to process eight (8) input fields in your carLog.php. So it will return undefine variables error.
Pass the input fields in array.
Inside the loop, hide the primary id of each car/vehicle in a hidden input (also in array).

Add this inside your while() loop:

/* ASSUMING vehicle_id IS THE PRIMARY ID OF YOUR carLog TABLE; JUST REPLACE IT WITH THE RIGHT COLUMN NAME */
echo '<input type="hidden" name="hidden_id[]" value="'.$row["vehicle_id"].'">';

You have to add [] in your input's name tags.

<td><input type='text' name='outTime[]' .....

Do it to the rest of your inputs.

Then on your carLog.php file, which process the input (at least use *_real_escape_string to prevent SQL injections). We will be checking each input using for() loop:

if (isset($_POST['Save'])){

  for($x = 0; $x< count($_POST["hidden_id"]); $x++){

    $vehicleid = $databaseConnection->real_escape_string($_POST['hidden_id'][$x]);
    $inTime = $databaseConnection->real_escape_string($_POST['inTime'][$x]);
    $outTime = $databaseConnection->real_escape_string($_POST['outTime'][$x]);
    $inTime2 = $databaseConnection->real_escape_string($_POST['inTime2'][$x]);
    $outTime2 = $databaseConnection->real_escape_string($_POST['outTime2'][$x]);
    $comments = $databaseConnection->real_escape_string($_POST['comments'][$x]);

    $query = "UPDATE carLog SET inTime = '$inTime', outTime = '$outTime', inTime2 = '$inTime2', outTime2 = '$outTime2' WHERE vehicle_id = '$vehicleid'";

    $databaseConnection->query($query);

  } /* END OF FOR LOOP */

} /* END OF ISSET Save */

Since you are using mysqli_* already, consider using the prepared statement approach.

so *_real_escape_string will prevent sql injections? or do i still need to use other methods? — rafa316, Nov 10 '15 at 02:12
Yes, it does protect your from SQL injections. But `*_real_escape_string` has more work to do, applying it on each variable, compare to prepared statement, where it will sanitize each parametize variables for you. You can take a look at the links I have provided - [How to prevent SQL injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for more info. So did my answer work for you? — Logan Wayne, Nov 10 '15 at 02:24

Dynamic Form to Database

1 Answers1

Note: