Php multipart/form-data insert into database script not working

Question

I'm trying to allow user to update a database of products through form but upon submit nothing happens... No errors are even fired. I have been trying to work this out for hours and maybe my eyes are getting too tire because I can't see what's wrong...

form.php

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

require_once $_SERVER['DOCUMENT_ROOT'].'/ecommerce/core/init.php';
include 'includes/header.php'; 
if(isset($_GET['add'])){
$parentQuery = $db->query("SELECT * FROM categories WHERE parent= 0" );
    if (isset($_POST['submit'])) {  

     if(isset($_POST['prod_name']))
    {
        $prod_name = sanitize($_POST)['prod_name'];    
    }

         if(isset($_POST['child']))
    {
        $categories = sanitize($_POST)['child'];    
    }

          if(isset($_POST['price']))
    {
        $price =  sanitize($_POST)['price'];    
    }

         if(isset($_POST['list_price']))
    {
        $prod_name = sanitize($_POST)['list_price'];    
    }

         if(isset($_POST['prod_width']))
    {
        $prod_width = sanitize($_POST)['prod_width'];    
    }

       if(isset($_POST['prod_depth']))
    {
        $prod_depth =  sanitize($_POST)['prod_depth'];    
    }

           if(isset($_POST['prod_height']))
    {
        $prod_height =  sanitize($_POST)['prod_height'];    
    }

           if(isset($_POST['prod_material']))
    {
        $prod_material =  sanitize($_POST)['prod_material'];    
    }

           if(isset($_POST['quantity']))
    {
        $quantity = sanitize($_POST)['quantity'];    
    }

       if(isset($_POST['care_instructions']))
    {
        $care_instructions = sanitize($_POST)['care_instructions'];    
    }

    if(isset($_POST['image_1']))
    {
        $image_1 =  $_FILES['image_1'];    
    }

       if(isset($_POST['image_2']))
    {
        $image_2 = $_FILES['image_2'];    
    }

       if(isset($_POST['image_3']))
    {
        $image_3 = $_FILES['image_3'];    
    }

       if(isset($_POST['image_4']))
    {
        $image_4 =  $_FILES['image_4'];    
    }

       if(isset($_POST['description']))
    {
        $description =  sanitize($_POST)['description'];    
    } else {

    $errors = array();                 
    $required = array('prod_name','child','price','prod_width', 'prod_depth','prod_height', 'prod_material', 'quantity', 'description', 'care_instructions', 'image_1', 'image_2', 'image_3', 'image_4');

                        foreach ($required as $field) {             
    if ($_POST[$field] == '') {                 
    $errors[] = 'All Fields With and Astrisk are required';                 
        break; } else {
            //upload file and insert into database            
    //move_uploaded_file($tmpLoc, $uploadPath);             
    $insertSql = "INSERT INTO `product` (`prod_name`,`child`,`price`,`list_price`,`prod_width`,`prod_depth`,`prod_height`, `prod_material`, `quantity`, `description`, `care_instructions`, `image_1`, `image_2`, `image_3`, `image_4`); VALUES ('$prod_name','$child','$price','$list_price','$prod_width', '$prod_depth','$prod_height', '$prod_material', '$quantity', '$description', '$care_instructions', '$image_1', '$image_2', '$image_3', '$image_4');";             
    $db->query($insertSql)          or die(mysqli_error($db));   
        header('Location: products.php');}}}}?> 


        <form action="products.php?add=1" method="POST" enctype="multipart/form-data">

            <div class='container_12'>
            <div class="form-group col-md-3">
                <label for="prod_name">Product Name*:</label>
                 <input type="text" name="prod_name" id="prod_name" class="form-control" value="<?=((isset($_POST['prod_name']))?sanitize($_POST['prod_name']):' ');?>">


            </div>
            <div class="form-group col-md-3">
                <label for="parent">Parent Category*:</label>
                <select class="form-control" id="parent" name="parent"> 
                    <option value=""<?=((isset($_POST['parent']) && $_POST['parent'] == '')?'selected':'');?>></option> 
                        <?php while($parent = mysqli_fetch_assoc($parentQuery)): ?> 
                    <option value=" <?=$parent['id'];?>"<?=((isset($_POST['parent']) && $_POST['parent'] == $parent['id'])?' select':'');?>><?=$parent['category_name'];?></option> 
                        <?php endwhile; ?> 
                </select>
            </div>
            <div class='form-group col-md-3'>
                <label for='child'>Second Category*:</label>
                <select id='child' name='child' class='form-control'></select>
            </div>
            </div>

            <div class='container_12'>

                <div class='form-group col-md-3'>
                        <label for='list_price'>List Price(OPTIONAL): </label>
                        <input type="text" id="list_price" name="list_price" class="form-control" value="<?=((isset($_POST['list_price']))?sanitize($_POST['list_price']):'');?>">
                </div>

                 <div class="form-group col-md-3">
                <label for="price">Price*:</label> 
                <input type="text" id="price" name="price" class="form-control" value="<?=((isset($_POST['price']))?sanitize($_POST['price']):'');?>"> 
            </div>

             <div class='form-group col-md-3'>
                        <label for='prod_width'>Width* (in inches):</label>
                        <input type="text" id="prod_width" name="prod_width" class="form-control" value="<?=((isset($_POST['prod_width']))?sanitize($_POST['prod_width']):'');?>">
                </div>

             <div class='form-group col-md-3'>
                        <label for='prod_depth'>Height*(in inches):</label>
                        <input type="text" id="'prod_depth" name="'prod_depth" class="form-control" value="<?=((isset($_POST['prod_depth']))?sanitize($_POST['prod_depth']):'');?>">
                </div>
            </div>

            <div class='container_12'>
             <div class='form-group col-md-3'>
                        <label for='prod_height'>Depth*(in inches):</label>
                        <input type="text" id="prod_height" name="prod_height" class="form-control" value="<?=((isset($_POST['prod_height']))?sanitize($_POST['prod_height']):'');?>">
                </div>

            <div class='form-group col-md-3'>
                        <label for='prod_material'>Construction Material:</label>
                        <input type="text" id="prod_material" name="prod_material" class="form-control" value="<?=((isset($_POST['prod_material']))?sanitize($_POST['prod_material']):'');?>">

            </div>

            <div class='form-group col-md-6'>
                <label>Quantity * :</label>
                  <input type="text" id="quantity" name="quantity" class="form-control" value="<?=((isset($_POST['quantity']))?sanitize($_POST['quantity']):'');?>">

            </div>
            </div>

            <div class='container_12'>
                <div class="form-group col-md-3"> <label for="image_1">Product Photo #1:</label> 
                <input type="file" name="image_1" id="image_1" class="form-control"> 
            </div>
                  <div class="form-group col-md-3"> <label for="image_2">Product Photo #2:</label> 
                <input type="file" name="image_2" id="image_2" class="form-control"> 
            </div>
                  <div class="form-group col-md-3"> <label for="image_3">Product Photo #3:</label> 
                <input type="file" name="image_3" id="image_3" class="form-control"> 
            </div>
                  <div class="form-group col-md-3"> <label for="image_4">Product Photo#4:</label> 
                <input type="file" name="image_4" id="image_4" class="form-control"> 
            </div>

            </div>



            <div class='container_12'>
            <div class="form-group col-md-6">
                <label for="description">Description:</label>
                <textarea id="description" name="description" class="form-control" rows="6"><?=((isset($_POST['description']))?sanitize($_POST['description']):'');?></textarea> 
            </div>



              <div class="form-group col-md-6">
                <label for="care_instructions">Care Instructions*:</label>
                <textarea id="care_instructions" name="care_instructions" class="form-control" rows="6"><?=((isset($_POST['care_instructions']))?sanitize($_POST['care_instructions']):'');?></textarea> 
              </div></div>

            <div class='container_12'>
                <div class="form-group pull-right">
            <input type='submit' name='submit' value='Add Product' class='form-control btn-success pull-right'>
                </div></div>
                               </form>

*"Php database injections script not working"* - What exactly do you mean by that title? Do you want to avoid or purposely create an sql injection? — Funk Forty Niner, Nov 20 '16 at 18:30
This question was improperly closed. This http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks is the one that should have been used; pay attention here YCS. Look at their syntax `INSERT INTO product ('prod_name','child','price',...` incorrect identifier qualifiers. — Funk Forty Niner, Nov 20 '16 at 18:32
@Fred-ii-: Mispelled the question it is not a duplicate. Edited. — Bic Mitchun, Nov 20 '16 at 18:33
You're right, it's not a duplicate of http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php it's a duplicate of this one http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks to which I have reopened and reclosed. `mysqli_error($db)` would have told you about that against the query. — Funk Forty Niner, Nov 20 '16 at 18:34
However this `if (isset($_POST['submit'])) {...}` I'm surprised you say there's no error. That should have thrown you an undefined index notice; there's no submit of that name. — Funk Forty Niner, Nov 20 '16 at 18:36
@Fred-ii-: Thanks for the help but it's not a duplicate in this case because despite the fact I have changed for backticks for `INSERT INTO product ('prod_name','child','price',...` and updated the typos. Nothing is being inserted in database. When I click on submit the page just kind of refresh. — Bic Mitchun, Nov 20 '16 at 20:04
You need edit it again; you left a quote in here `',` for the `price` column and it's unsure whether or not that that is what you're really using. In the meantime, do check for errors on the query, you're not doing that, with what I pointed out earlier using `mysqli_error($db)`. Is there not anything coming back from that? — Funk Forty Niner, Nov 20 '16 at 20:09
You also left out where this function is and what it does `sanitize()`. — Funk Forty Niner, Nov 20 '16 at 20:11
@Fred-ii-: I have updated the script. Now I'm receiving an error Warning: `htmlentities() expects parameter 1 to be string, array given in C:\xampp\htdocs\ecommerce\helpers\helpers.php on line 11` And this is line 11 in helpers.php the whole function is `function sanitize ($dirty){ return htmlentities($dirty, ENT_QUOTES, "UTF-8"); }` — Bic Mitchun, Nov 20 '16 at 20:22
I should have never gotten involved in this question. I told you to post your (unknown) `sanitize()` function; the problem's in there. Please don't ask for more help from me, because I have already spent enough time trying to help you. Here's a suggestion which I hope you will take into consideration. Dump that entire code and start over and not use that custom function of yours and use a prepared statement. That will take care of sql injection. — Funk Forty Niner, Nov 20 '16 at 20:25

Php multipart/form-data insert into database script not working

0 Answers0