Not correct value that inserted in the database

Question

I want to insert the chosen items by user from shopping cart to database after they click confirm button. The problem is, after the items inserted, the quantity value is not correct as I assume. I want the inserted quantity is determined by user in the shopping cart. But the truth is the inserted quantity is the value of quantity stock that determined by admin from the database.

Here is the code that view the shopping cart:

        <table>
        <tr>
            <th>Peralatan Sukan</th>
            <th>Kuantiti</th>
        </tr>
    <?php
            if(isset($_SESSION['cart'])){

 $sql = "SELECT * FROM peralatansukan WHERE no IN(";
        foreach((array) $_SESSION['cart'] as $id => $value){
        $sql .=$id. ",";
        }
        $sql=substr($sql,0,-1) . ") ORDER BY no ASC";
        $query = mysql_query($sql);
        if(!empty($query)){
        while($row = mysql_fetch_array($query)){
?>
<tr>
    <td><?php echo $row['peralatansukan']; ?></td>
    <td><input type="text" name="kuantiti[<?php echo $row['no']; ?>]" 
    size="6" value="<?php echo $_SESSION['cart'][$row['no']]['kuantiti']; ?
    >"> </td>

Here is the code that update the quantity in the shopping cart :

if(isset($_GET['action']) && $_GET['action']=="add"){
$id=intval($_GET['id']);
if(isset($_SESSION['cart'][$id])){
    $_SESSION['cart'][$id]['kuantiti']++;
}else{
    $sql_p="SELECT * FROM peralatansukan WHERE no={$id}";
    $query_p=mysql_query($sql_p);
    if(mysql_num_rows($query_p)!=0){
        $row_p=mysql_fetch_array($query_p);
        $_SESSION['cart'][$row_p['no']]=array("kuantiti" => 1);
    }else{
        $message="Product ID is invalid";
    }
}
}

Here is the code that insert items from shopping cart to database :

  if(isset($_SESSION['cart'])){
                $sql = "SELECT * FROM peralatansukan WHERE no IN(";
                foreach((array) $_SESSION['cart'] as $id => $value){
                    $sql .=$id. ",";
                }
                $sql=substr($sql,0,-1).") ORDER BY no ASC";
                $query = mysql_query($sql);
                if(!empty($query)){
                    while($row = mysql_fetch_array($query)){
                    $sql="INSERT INTO user_request(nama, noic, jawatan, 
                    peringkat, email, no, peralatansukan, kuantiti) values 
                    ('$_SESSION[nama]', '$_SESSION[noic]',  
                    '$_SESSION[jawatan]', '$_SESSION[peringkat]', 
                    '$_SESSION[email]', '$row[no]', '$row[peralatansukan]', 
                    '$row[kuantiti]')";
                    $res=mysql_query($sql);   
                    unset($_SESSION['cart']);
                    echo '<script type="text/javascript">alert("Your request 
                    is success.");window.location.href="viewalat.php";
                    </script>';
                     }}}
                     else{
                     echo '<script type="text/javascript">alert("Sorry. 
                     Something went  
                     wrong.");window.location.href="viewalat.php";          
                     </script>';
                     }

I'm new to PHP. Hope you can help me out of this problem. Fyi, I'm still learning to use the mysqli. Hope you can understand. Thank you.

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Feb 27 '17 at 16:23
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Feb 27 '17 at 16:23
Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Feb 27 '17 at 16:26
Shouldn't you be using `$value` instead of `$row['kuantiti']` when inserting data. — RST, Feb 27 '17 at 16:45
Sorry for my mistake. I've put wrong snippet code on update the quantity in the shopping cart. Done update. — Vega Maya, Feb 27 '17 at 18:09
Please double check insert code to database here. code is broken! Please paste right code here — behkod, Feb 27 '17 at 18:20
@BehradKhodayar All is going well except the quantity value. Not match as I want. It gives me the available quantity of each item. Not the chosen quantity by user in the shopping cart. — Vega Maya, Feb 27 '17 at 18:39
Shouldn't you replace `$row[kuantiti]` with `$_SESSION['cart'][$row[no]]['kuantiti']++` in your last `$sql`? — behkod, Feb 27 '17 at 18:56
@VegaMaya The trailing ++ was mistakenly there (I couldn't just edit it). Just replace `$row[kuantiti]` with `$_SESSION['cart'][$row[no]]['kuantiti']` in your last `$sql`. & let me know if its ok? — behkod, Feb 27 '17 at 19:05
also Array[41][kuantiti] Huhh..feeling like I want to give up. :( — Vega Maya, Feb 27 '17 at 19:10
Never give up ! (like The Last Man Standing did! ;-) ) please provide `peralatansukan` schema & `$_SESSION`'s var_dump. — behkod, Feb 27 '17 at 19:15

Not correct value that inserted in the database

0 Answers0