PHP SQL Insert text value into database

Question

I am working on an online shopping cart project, which requires me to be able to add a custom text input field to each item that is added to the shopping cart. However, when I attempt to insert the information for each item in the card into a database, I cannot figure out how to pass the itemtext value into my INSERT statement. How would I go about being able to pass the itemtext value from the initial item list into my database for Orderitems? The itemtext input is on line 170, and I want to pass it into the INSERT statement seen on line 83.

<?php
session_start();
$user =  $_SESSION['user'];
if(!isset($user)) {
 header("Location:userlogin.php");
}
$cart = $_COOKIE['WSC'];

if(isset($_POST['clear'])) {
 $expire = time() -60*60*24*7*365;
 setcookie("WSC", $cart, $expire);
 header("Location:order.php");
}
if($cart && $_GET['id']) {
 $cart .= ',' . $_GET['id'];
 $expire = time() +60*60*24*7*365;
 setcookie("WSC", $cart, $expire);
 header("Location:order.php");
}
if(!$cart && $_GET['id']) {
 $cart = $_GET['id'];
 $expire = time() +60*60*24*7*365;
 setcookie("WSC", $cart, $expire);
 header("Location:order.php");
}
if($cart && $_GET['remove_id']) {
 $removed_item = $_GET['remove_id'];
 $arr = explode(",", $cart);
 unset($arr[$removed_item-1]);
 $new_cart = implode(",", $arr);
 $new_cart = rtrim($new_cart, ",");
 $expire = time() +60*60*24*7*365;
 setcookie("WSC", $new_cart, $expire);
 header("Location:order.php");
}

if(isset($_POST['PlaceOrder'])) {
 $email = $user;
 $orderdate = date('m/d/Y');
 $ordercost = $_POST['ordercost'];
 $ordertype = $_POST['ordertype'];
 $downcost = $_POST['downcost'];
 $cardtype = $_POST['cardtype'];
 $cardnumber = $_POST['cardnumber'];
 $cardsec = $_POST['cardsec'];
 $cardexpdate = $_POST['cardexpdate'];
 $orderstatus = "Pending";
 
 if($ordertype=="") {
  $ordertypeMsg = "<br><span style='color:red;'>You must enter an order type.</span>";
 }
 if($cardtype=="") {
  $cardtypeMsg = "<br><span style='color:red;'>You must enter a card type.</span>";
 }
 if($cardnumber=="") {
  $cardnumberMsg = "<br><span style='color:red;'>You must enter a card number.</span>";
 }
 if($cardsec=="") {
  $cardsecMsg = "<br><span style='color:red;'>You must enter a security code.</span>";
 }
 if($cardexpdate=="") {
  $cardexpdateMsg = "<br><span style='color:red;'>You must enter an expiration date.</span>";
 }
 
 else {
  include ('includes/dbc_admin.php');
  $sql = "INSERT INTO Orders (email, orderdate, ordercost, ordertype, downcost, cardtype, cardnumber, cardsec, cardexpdate, orderstatus)
  VALUES ('$email', '$orderdate', '$ordercost', '$ordertype', '$downcost', '$cardtype', '$cardnumber', '$cardsec', '$cardexpdate', '$orderstatus')";
        mysql_query($sql) or trigger_error("WHOA! ".mysql_error());
  $sql = "SELECT orderid FROM Orders";
  $result = mysql_query($sql) or die("Invalid query: " . mysql_error());
  while($row=mysql_fetch_assoc($result)) {
  $myid = $row[orderid];
  }
  $itemnumber = 1;
  $items = explode(',', $cart);
  foreach($items AS $item) {
  $sql = "SELECT * FROM Catalog where id = '$item'";
  $result = mysql_query($sql) or die("Invalid query: " . mysql_error());
   while($row=mysql_fetch_assoc($result)) {
   $itemtext = $_POST['itemtext'];
   $sql= "INSERT INTO OrderItems (orderid, itemnumber, itemid, itemtype, media, itemtext, price)
   VALUE ('$myid', '$itemnumber', '$row[itemid]', '$row[itemtype]', '$row[media]', '$itemtext[itemnumber]', '$row[price]')";
   mysql_query($sql) or trigger_error("WHOA! ".mysql_error());
   }
  $itemnumber++;
  }
  $inserted = "<h2>Thank You!</h2> <h3>Your order has been placed.</h3>";
 }
}

?>

<!DOCTYPE html>
<html>
<head>
<title>Williams Specialty Company</title>
<link href="style.css" rel="stylesheet" type="text/css" />
<script type="text/javascript">
function validateForm() {
 var ordercost = document.form1.ordercost.value;
 var downcost = document.form1.downcost.value;
 var ordertype = document.form1.ordertype.value;
 var cardtype = document.form1.cardtype.value;
 var cardnumber = document.form1.cardnumber.value;
 var cardsec = document.form1.cardsec.value;
 var cardexpdate = document.form1.cardexpdate.value;
 
 var ordertypeMsg = document.getElementById('ordertypeMsg');
 var cardtypeMsg = document.getElementById('cardtypeMsg');
 var cardnumberMsg = document.getElementById('cardnumberMsg');
 var cardsecMsg = document.getElementById('cardsecMsg');
 var cardexpdateMsg = document.getElementById('cardexpdateMsg');
 
 if(ordertype == ""){ordertypeMsg.innerHTML = "You must enter an order type."; return false;}
 if(cardtype == ""){cardtypeMsg.innerHTML = "You must enter a card type."; return false;}
 if(cardnumber == ""){cardnumberMsg.innerHTML = "You must enter a card number."; return false;}
 if(cardsec == ""){cardsecMsg.innerHTML = "You must enter a security code."; return false;}
 if(cardexpdate == ""){cardexpdateMsg.innerHTML = "You must enter an expiration date."; return false;}
 
}
</script>
</head>

<body>
<?php include('includes/header.inc'); ?>

<?php include('includes/nav.inc'); ?>

<div id="wrapper">


<?php include('includes/aside.inc'); ?>


<section>
 <h2>My Cart</h2>
 <table width="100%">
  <tr>
  <th>Catalog ID</th>
  <th>Item Name</th>
  <th>Price</th>
  <th>Item Text</th>
  <th>Actions</th>
  </tr>
 <?php
  $cart = $_COOKIE['WSC'];
  if ($cart) {
   $i = 1;
   $ordercost;
   include('includes/dbc.php');
   $items = explode(',', $cart);
   foreach($items AS $item) { 
    $sql = "SELECT * FROM Catalog where id = '$item'";
    $result = mysql_query($sql) or die("Invalid query: " . mysql_error());
    while($row=mysql_fetch_assoc($result)) {
     echo '<tr>';
     echo '<td align="left">';
     echo $row['itemid'];
     echo '</td>';
     echo '<td align="left">';
     echo $row['itemname'];
     echo '</td>';
     echo '<td align="left">';
     echo $row['price'];
     $ordercost+=$row['price'];
     $downcost = $ordercost / 10;
     echo '</td>';
     echo '<td align="left">';
     echo '<p><input type="text" id= "itemtext" name="itemtext"></p>';
     echo '</td>';
     echo '<td align="left">';
     echo '<a href="order.php?remove_id='.$i.'">Remove From Cart</a>';
     echo '</td>';
     echo '</tr>';
    }
    $i++;
   }
  }
  ?>
 </table><br />
 <form method="POST" action="<?php $_SERVER['PHP_SELF'];?>">
  <input type="submit" name="clear" value="Empty Shopping Cart">
 </form>
 <?php if(isset($inserted)) {echo $inserted;} else{ ?>
   <form method="post" action="<?php echo $SERVER['PHP_SELF'] ?>" name="form1" onSubmit="return validateForm()">
   <p>Total Price: <?php echo $ordercost;?> <input type="hidden" id="ordercost" name="ordercost" value="<?php echo $ordercost;?>"> </p>
   <p>Down Cost: <?php echo number_format((float)$downcost, 2, '.', '');?> <input type="hidden" id="downcost" name="downcost" value="<?php echo number_format((float)$downcost, 2, '.', '');?>"> </p>
   <p><label>Order Type:</label><br> <input type="text" id="ordertype" name="ordertype">
   <?php if(isset($ordertypeMsg)) {echo $ordertypeMsg;} ?>
   <br /><span id="ordertypeMsg" style="color:red"></span>
   </p>
   <p><label>Card Type:</label><br> <input type="text" id="cardtype" name="cardtype">
   <?php if(isset($cardtypeMsg)) {echo $cardtypeMsg;} ?>
   <br /><span id="cardtypeMsg" style="color:red"></span>
   </p>
   <p><label>Card Number:</label><br> <input type="text" id="cardnumber" name="cardnumber">
   <?php if(isset($cardnumberMsg)) {echo $cardnumberMsg;} ?>
   <br /><span id="cardnumberMsg" style="color:red"></span>
   </p>
   <p><label>Card Security Code:</label><br> <input type="text" id="cardsec" name="cardsec">
   <?php if(isset($cardsecMsg)) {echo $cardsecMsg;} ?>
   <br /><span id="cardsecMsg" style="color:red"></span>
   </p>
   <p><label>Card Expiration Date:</label><br> <input type="text" id="cardexpdate" name="cardexpdate">
   <?php if(isset($cardexpdateMsg)) {echo $cardexpdateMsg;} ?>
   <br /><span id="cardexpdateMsg" style="color:red"></span>
   </p>
   <p><input type="submit" name="PlaceOrder" value="Place Order"></p>
  </form><?php }?>
</section>

</div>

<?php include('includes/footer.inc'); ?>

</body>
</html>

@Achshar haha +1. But he/she is probably learning, so let's help out ;-) — Bob van Luijt, Feb 08 '16 at 21:26
It's hard to say if you've any errors or not. add error reporting as you didn't mention anything other than *"how do I..."* — Funk Forty Niner, Feb 08 '16 at 21:29
have you ever turned around and realized the person you were talking to had already walked away? Always `die();` or `exit();` after `header("Location:...");` — andrew, Feb 08 '16 at 21:34

score 0 · Answer 1 · edited May 23 '17 at 11:52

0

Update: This is your answer: change '$itemtext[itemnumber]' into '$itemtext'

~~This is going wrong because of the way you use quotes.~~ (not the answer but you might want to think about it ;-) )

$sql = "INSERT INTO Orders (email, orderdate, ordercost, ordertype, downcost, cardtype, cardnumber, cardsec, cardexpdate, orderstatus)
        VALUES ('$email', '$orderdate', '$ordercost', '$ordertype', '$downcost', '$cardtype', '$cardnumber', '$cardsec', '$cardexpdate', '$orderstatus')";

You should not use '$email' but -for example- ...VALUES ('".$email."',...

Learn more about this here: What is the difference between single-quoted and double-quoted strings in PHP?

On another note, your code is not safe. Please use: http://php.net/manual/en/function.mysql-real-escape-string.php

Example:
...VALUES ('".mysql_real_escape_string($email)."',...

edited May 23 '17 at 11:52

Community

1
1

answered Feb 08 '16 at 21:23

Bob van Luijt

7,153
12
58
101

2

`'$email'` - `'".$email."'` both give the same result. I disagree and if Barmar sees this, he'll tell you the same thing. He and I had a bit of a discussion about this the other day. – Funk Forty Niner Feb 08 '16 at 21:25
Crap! Your are right, my bad... crap, crap crap :'-( – Bob van Luijt Feb 08 '16 at 21:26
However Bob, you may been on to something about escaping the data. The OP might be entering stuff with an apostrophe or something else that MySQL could complain about. – Funk Forty Niner Feb 08 '16 at 21:28

PHP SQL Insert text value into database

1 Answers1