0

I'm creating a new booking system for my employer, in which a form is filled in and data enters a pre-built MySQL database.

I'm honestly unsure as to what I am doing wrong. Originally the data would not post into the database, but the form would appear to have submitted. Now, the form just submits to a white page. I will submit the full page code below as there's no comprimising data there, and hopefully somebody will be able to help.

<head>
<title>&nbsp;&nbsp;Moat Laptop Bookinge&nbsp;&nbsp;</title>
<?php
if (isset($_POST['submitted'])) {

    include('booking_db.php');

    $name = $_POST['name'];
    $out = $_POST['out'];
    $in = $_POST['in'];
    $sqlinsert = "INSERT INTO Future (name, out, 'in') VALUES ('$name', '$out', '$in')";

    if (!mysqli_query ($dbcon, $sqlinsert)) {
        die('error inserting new record');
            }
            $newrecord = "Laptop has been successfully Booked!";
}
?>

<link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/themes/smoothness/jquery-ui.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>

 <script>
  $(document).ready(function() {
    $("#datepicker").datepicker();
  });
  </script>

   <script>
  $(document).ready(function() {
    $("#datepicker2").datepicker();
  });
  </script>
</head>

<body style="background-height: 100%;background-width: 100%;background: #141E30;background: -webkit-linear-gradient(to left, #141E30 , #243B55);background: linear-gradient(to left, #141E30 , #243B55);">
<div id="logo" style="font-family: Tw Cen MT; font-weight: Bold; position: fixed; color: white; left: 650px;top: 35px; font-size: 80px;text-shadow: 3px 3px #c7c7c7;">
Book a Laptop
</div>
<div id="content_box" style="background-color: white;position: fixed; left: 450px;top: 135px; width:60%; height: 70%; border-radius: 3px;">
<center>
<form method="post" action="book.php" style="font-family: Bodoni MT;">
<input type="hidden" name="submitted" value="true" />
         <br />
         <br />
         <b><legend>First Name and First Letter of Surname</legend></b>
         <input type="text" name="name" value="Ex. James T" />
         <br/>
         <br />

         <b><legend>When will you need to collect the device?</legend></b>
         <input id="datepicker2" name="out" />
         <br/>
         <br />

         <b><legend>When will you return the device?</legend></b>
         <input id="datepicker" name="in" />

         <br />
         <input type="submit" value="Confirm Booking" />



</center>
<?php
echo $newrecord
?>

</div>

</body>

If you need any more information, within reason, feel free to ask.

EDIT This issue has been resolved, I cannot mark the answer as it was my answer and I have to wait 2 days. THank you for all of the answers.

James Timms
  • 120
  • 1
  • 15
  • A "white page" in PHP usually means there was an error. Check the PHP logs, turn on error reporting, etc. Also note that your code is *wide open* to SQL injection, and that when there's a SQL error (which is very likely in this code) you don't actually check what that error is. You should *really* start with some decent tutorials on using `mysqli` or `PDO`. – David Mar 15 '17 at 09:02
  • The absolutely first thing you do if you encounter something unexpected when programming php in a web environment _always_ is to take a look into your http servers error log file. There is where you can simply read what the actual issue is instead of having to guess or ask for help. _You cannot implement in a web environment without monitoring that log file. That would be like flying blindfolded in a narrow cave._ – arkascha Mar 15 '17 at 09:06
  • What baffles me is the fact that i've used this exact code before and it's worked perfectly, i'm quite lucky really that i'm developing this on my own personal dev server as no customers can access it yet. @arkascha – James Timms Mar 15 '17 at 09:09
  • One _always_ develops on a test environment before anyone else can access an implementation. Everything else would again be like closing your eyes, trying to cross a narrow bridge with no handrail claiming "well, I have crossed bridges before, haven't I? So I should be safe...". That is not how things are done. The fact that code works on one system but fails on another can have various causes but happens frequently. There obviously _always_ is a specific reason. You have to find that. And for that you test things. Best with an automated test suite. – arkascha Mar 15 '17 at 09:12
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 15 '17 at 12:02
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Mar 15 '17 at 12:02
  • @JayBlanchard This isn't being public so that is fine, it's going to be within a staff intranet. – James Timms Mar 15 '17 at 12:05
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Mar 15 '17 at 12:11
  • Your staff will be the first ones who will bite you in the arse ¯\\_(ツ)_/¯ – Jay Blanchard Mar 15 '17 at 12:12
  • I know all about SQL injections and knew that this was at risk of one, I've also taught myself to code, I wasn't taught at school. This is currently on my development server, which only I have access to as it's in my house, when it's moved over to the intranet, before staff are allowed access to it, i will be cleaning it up a bit. – James Timms Mar 15 '17 at 12:16

3 Answers3

0

There could be a problem in the line include('booking_db.php');. You should mention error_reporting(E_ALL); at the top of the page, and try debugging:

error_reporting(E_ALL);

if (isset($_POST['submitted'])) {

    var_dump(file_exists('booking_db.php')); //check if you get true or false

    require 'booking_db.php'; // Change include to required
    echo "Test"; 
    exit;
    $name = $_POST['name'];
    echo $name; // Check
    $out = $_POST['out'];
    $in = $_POST['in'];
    $sqlinsert = "INSERT INTO Future (name, out, 'in') VALUES ('$name', '$out', '$in')";

    var_dump($dbcon); // check

    if (!mysqli_query ($dbcon, $sqlinsert)) {
        die('error inserting new record');
    }
    $newrecord = "Laptop has been successfully Booked!";
}

Please check what you're getting after form submit.

Indrasis Datta
  • 8,692
  • 2
  • 14
  • 32
  • I get sent to a page which states the following Array ( [submitted] => true [name] => James T [out] => 03/31/2017 [in] => 04/07/2017 ) – James Timms Mar 15 '17 at 09:06
  • Looks like you're not getting anything printed after the include statement. That means it's unable to locate the file `booking_db.php`. You possibly need to mention the correct path. – Indrasis Datta Mar 15 '17 at 09:07
  • It's in the same directory as the form, it shouldn't logically need a path – James Timms Mar 15 '17 at 09:10
  • Please do the changes till `exit` as shown. Replace `include` with `required`. And check if you get true or false. – Indrasis Datta Mar 15 '17 at 09:13
  • I just put the Database connection file into the code at the top instead of a seperate file, and now it's saying error inserting new record, James TNull Array ( [submitted] => true [name] => James T [out] => 03/16/2017 [in] => 03/31/2017 ) James TNULL error inserting new record – James Timms Mar 15 '17 at 09:15
  • Any idea with this one? – James Timms Mar 15 '17 at 09:19
  • Within die, mention the error function: `die(mysqli_error($dbcon)); ` – Indrasis Datta Mar 15 '17 at 09:30
  • White screens me after adding the error function. `die(echo("Error description: " . mysqli_error($dbcon));` – James Timms Mar 15 '17 at 09:36
  • Mysqli_error not working, but the dump has changed. `Array ( [submitted] => true [name] => james t [out] => 03/16/2017 [in] => 03/31/2017 ) james t03/16/201703/31/2017resource(5) of type (mysql link) error inserting new record` – James Timms Mar 15 '17 at 09:48
  • Any idea mr Object? – James Timms Mar 15 '17 at 10:43
0

Replace your insert query with : 

    INSERT INTO Future 
(`name`,`out`,`in`) VALUES ('".$name."', '".$out."', '".$in."')

and if (isset($_POST['submitted'])) with if (isset($_POST['Confirm Booking']))

because you have to put your value of submit button in POST

Sweta Parmar
  • 269
  • 1
  • 11
0

Turns out, my issue was with 

if (!mysqli_query ($dbcon, $sqlinsert)) {
        die('error inserting new record');
            }
            $newrecord = "Laptop has been successfully Booked!";
}

I changed this to 

if (mysqli_query ($link, $sqlinsert)) {
        echo "";

} else{

echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);

}

And changed a few variables to match up with this, and it started working and posted to my DB. Thank you to anyone who answered.

James Timms
  • 120
  • 1
  • 15