Why am I not able to insert values into my child table through my PHP script?

Question

I am new to PHP and MySQL. I simply want to register users to my site (which I did successfully) and once they login, they can donate clothes. I have two tables-

Users-

id (int) PRIMARY KEY and AUTO INCREMENT.
Name (varchar)
E-mail (varchar)
Password (varchar)

Clothes-

id (int) PRIMARY KEY and AUTO INCREMENT.
user_id (int) FOREIGN KEY
Decription (varchar)
Image (varchar)

What I want is that, when the user logs in and clicks on the donate button, it will take the user to this page-

Fill The Clothes Details

    <form action="clothes.php" method="post" enctype="multipart/form-data">
        <table align="center" width="760px" border="2">

            <td>Clothes Details</td>
            <td><textarea cols="60" rows="10" name="description" ></textarea></td>
            </tr>
            <tr>
                <td>Image</td>
                <td><input type="file" name="image" /></td>
            </tr>
            <tr>
                <td><input type="submit" name="register" value="Submit" ></td>
            </tr>
        </table>
    </form>
</body>
</html>

When the user enters the description and uploads the image, I want it to be stored in my PhpMyAdmin table, but with the respective id of the user. Here is my PHP script-

<?php
session_start();
include ("includes/db.php");
if (isset($_POST['register'])) {

    $description = $_POST['description'];
    $image = $_FILES['image']['name'];
    $temp = $_FILES['image']['tmp_name'];
    move_uploaded_file($temp, "clothes/$image");
    $insert = "insert into clothes (description, image) values ( '$description', '$image')";
    $run = mysqli_query($con, $insert);
    if ($run) {
        echo "<script>alert('Clothes Successfully Donated')</script>";
    }
}

?>

And as obvious it may seem, the data is not inserted into the table. When I echo the insert query, I am getting the query insert into clothes (user_id, description, image) values ( 'Jeans', 'HUMBLE. - Single.jpg'), which means my query is working. But I just cannot figure out what the problem is as this is my first experience with foreign keys. What am I doing wrong?

Namely in `insert into clothes (user_id, description, image) values ( '$description', '$image')` the value for user_id is missing. — Pinke Helga, May 02 '17 at 05:01
@Saty even if I remove 'user_id' or add 'id' in the insert query, it is still not working. — , May 02 '17 at 05:02
`user_id` is the required foreign key. You need to find a way to get the corresponding id, e.g. stored in a PHP session. — Pinke Helga, May 02 '17 at 05:04
@Quasimodo'sclone and that is what I am asking. How is it done? — , May 02 '17 at 05:06
When a user logged in, you could start a [PHP session](http://php.net/manual/en/function.session-start.php) holding the id. See also [$_SESSION](http://php.net/manual/en/reserved.variables.session.php). First try to insert a fixed user ID, when it works, start writing code for sessions. — Pinke Helga, May 02 '17 at 05:07
I see, there actually is already a start_session() in your code. So everything you have to do is `$_SESSION['user_id'] = $id` when you fetched the row from `users` in some place at login time. Then you just insert `$_SESSION['user_id']` as value in your insert statement. Be aware that your approach is highly vulnerable to SQL injections. Use prepared statements instead. — Pinke Helga, May 02 '17 at 05:23
@Quasimodo'sclone problem solved! Thank you so much. You are a legend! — , May 02 '17 at 06:45
Again, I strictly recommend using prepared statements, or anyone can manipulate your queries by simply sending POST data. Imagine what happens, if someone sends a description like `Tom's cat` — Pinke Helga, May 02 '17 at 06:54
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 04 '17 at 12:26

score 0 · Answer 1 · answered May 02 '17 at 05:20

first of all, you need to correct the code.

<?php
session_start();
include ("includes/db.php");
if (isset($_POST['register'])) {
    $user_id = $_SESSION['user_id'];
    $description = $_POST['description'];
    $image = $_FILES['image']['name'];
    $temp = $_FILES['image']['tmp_name'];
    move_uploaded_file($temp, "clothes/$image");
    $insert = "insert into clothes (user_id, description, image) values ( $user_id, '$description', '$image')";
    $run = mysqli_query($con, $insert);
    if ($run) {
        echo "<script>alert('Clothes Successfully Donated')</script>";
    }
}
?>

First you need to verify, whether you have set the logged in user's id in session, If not then set first then this code will work fine. If you have not set then please set $_SESSION['user_id']=[id of loggedin user].

Hope this will help you.

In this code the user ID is read by `$user_id = $_SESSION['user_id'];`, provided that you have previously stored it into the session at login time. — Pinke Helga, May 02 '17 at 05:36

Why am I not able to insert values into my child table through my PHP script?

Fill The Clothes Details

1 Answers1