PHP user input not inserting into a database

Question

I am breaking my head with this code and i know its something simple i am missing. I am trying to input user data into a table known as tbl_order

Here is my code:

    <?php
    session_start();
    $connection = mysqli_connect('localhost', 'root', '', 'bookstore');

if (isset($_POST['submitted'])){

    $cTotal = $_SESSION['checkoutCartTotal'];
    $cName = $_POST['cardName'];
    $cNumber = $_POST['cardNum'];
    $cAdress = $_POST['cusAddress'];
    $cCity = $_POST['cusCity'];
    $cEmail = $_POST['cusEmail'];
    $cPhone = $_POST['cusPhone'];
    $sqlinsert = "INSERT INTO tbl_order (total_price, credit_card_number, fname, email, address, phone, city) VALUES ('$cTotal', $cNumber', '$cName', '$cEmail', '$cAdress', '$cPhone', '$cCity')";
    if (!mysqli_query($connection, $sqlinsert)) {
        die('Error inserting new record');
    } 


    $newrecord = "Thank you for making your purchase!";

}



?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Great Selling Book Store</title>
<link href="css/slider.css" rel="stylesheet" type="text/css" />

<link rel="stylesheet" type="text/css" href="css/ddsmoothmenu.css" />

<link rel="stylesheet" type="text/css" href="css/styles.css" />

<script language="javascript" type="text/javascript">

    function clearText(field)
    {
        if (field.defaultValue == field.value) field.value = '';
        else if (field.value == '') field.value = field.defaultValue;
    }

</script> 
</head>

<body id="subpage">

<div id="main_wrapper">
    <div id="main_header">
        <div id="site_title"><h1><a href="#" rel="nofollow">Great Selling Book Store</a></h1></div>

        <div id="header_right">
            <div id="main_search">
                <form action="products.php" method="get" name="search_form">
                  <input type="text" value="Search" name="keyword" onfocus="clearText(this)" onblur="clearText(this)" class="txt_field" />
                  <input type="submit" name="Search" value="" alt="Search" id="searchbutton" title="Search" class="sub_btn"  />
                </form>
            </div>
         </div> <!-- END -->
    </div> <!-- END of header -->

    <div id="main_menu" class="ddsmoothmenu">
        <ul>
            <li><a href="index.php">Home</a></li>
            <li><a href="products.php">Books</a></li>
            <li><a href="shoppingcart.php">Cart</a></li>
            <li><a class="selected" href="checkout.php">Checkout</a></li>
            <li><a href="about.php">About</a></li>
        </ul>
        <br style="clear: left" />
    </div> <!-- end of menu -->

    <div class="cleaner h20"></div>
    <div id="main_top"></div>
    <div id="main">

        <div id="sidebar">
            <h3>Categories</h3>
            <ul class="sidebar_menu">
                <li><a href="index.php?cat=children">Children</a></li>              
                <li><a href="index.php?cat=Horror">Horror</a></li>
                <li><a href="index.php?cat=Thriller">Thriller</a></li>
        </ul>
        </div> <!-- END of sidebar -->

        <div id="content">
            <h2>Checkout</h2>
            <h5><strong>BILLING DETAILS<span style="color: #a11; font-size: 13px; margin-left: 50px;"><span></strong></h5>

            <form method ="post" action="checkout.php">
            <input type="hidden" name="submitted" value= "true" />
            <fieldset>
                <legend>Customer Checkout</legend>
                <label>Enter your name as it is on the credit card: <input type="text" name="cardName"></label>
                <label>Card Number: <input type="text" name="cardNum"></label>
                <label>Adress: <input type="text" name="cusAddress"></label>
                <label>City: <input type="text" name="cusCity"></label>
                <label>Email: <input type="text" name="cusEmail"></label>
                <label>Please, specify your reachable phone number. YOU MAY BE GIVEN A CALL TO VERIFY AND COMPLETE THE ORDER: <input type="text" name="cusPhone"></label>
            </fieldset>
            <input type="submit" value="Checkout!">
            </form>
            <div class="cleaner h50"></div>
            <h3>Shopping Cart</h3>
            <h4>TOTAL: <strong>R <?php echo @$_SESSION['checkoutCartTotal']; ?></strong></h4>
            <table style="border:1px solid #CCCCCC;" width="100%">
                <tr>
                    <td height="80px"> <img src="images/paypal.gif" alt="paypal" /></td>
                    <td width="400px;" style="padding: 0px 20px;">Recommended if you have a PayPal account. Fastest delivery time.
                    </td>



                </tr>
            </table>
               <?php
               echo @$newrecord;
               ?>
        </div> <!-- end of content -->

        <div class="cleaner"></div>
    </div> <!-- END of main -->

    <div id="main_footer">   
        <div class="cleaner h40"></div>
        <center>
            Copyright © 2048 DigitalNinja
        </center>
    </div> <!-- END of footer -->   

</div>


<!--<script type='text/javascript' src='js/logging.js'></script> -->
</body>
</html>

And the error i am getting is the one i specified which is error inserting into the database and i have no idea where i am making a mistake

Here is my database for tbl_order:

   CREATE TABLE `tbl_order` (
  `order_id` int(100) NOT NULL,
  `cus_id` int(100) NOT NULL,
  `prod_no` int(11) NOT NULL,
  `total_price` text NOT NULL,
  `credit_card_number` text NOT NULL,
  `fname` text NOT NULL,
  `email` text NOT NULL,
  `address` text NOT NULL,
  `phone` text NOT NULL,
  `city` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

INSERT INTO `tbl_order` (`order_id`, `cus_id`, `prod_no`, `total_price`, `credit_card_number`, `fname`, `email`, `address`, `phone`, `city`) VALUES
(1, 1, 1, '350', '2147483647', '', '', '', '0', '');


ALTER TABLE `tbl_order`
  ADD PRIMARY KEY (`order_id`),
  ADD KEY `cus_id` (`cus_id`),
  ADD KEY `prod_no` (`prod_no`);

ALTER TABLE `tbl_order`
  MODIFY `order_id` int(100) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;

ALTER TABLE `tbl_order`
  ADD CONSTRAINT `tbl_order_ibfk_1` FOREIGN KEY (`cus_id`) REFERENCES `customer` (`cus_id`),
  ADD CONSTRAINT `tbl_order_ibfk_2` FOREIGN KEY (`prod_no`) REFERENCES `tblproduct` (`prod_no`);

Could Someone please help me, i would really appreciate it!

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 16 '17 at 18:36
Get the actual error using `mysqli_error($connection)` or check your error logs. — Jay Blanchard, May 16 '17 at 18:37
most likely, one of your post fields is blank or incorrectly named, also you do not need to include the names on an insert statement — user3005775, May 16 '17 at 18:38
@JayBlanchard i am getting the die('Error inserting new record'); — MOHAMMED ISMAIL, May 16 '17 at 18:39
INSERT INTO tbl_order VALUES (1, 1, 1, '350', '2147483647', '', '', '', '0', ''); — user3005775, May 16 '17 at 18:39
@user3005775 i did include the names and all my fields are entered in — MOHAMMED ISMAIL, May 16 '17 at 18:39
That isn't the actual error - that is just something you created. Put the `mysqli_error()` in the die statement. — Jay Blanchard, May 16 '17 at 18:39
@user3005775 i manually entered that data in using the PHPmysql and it worked — MOHAMMED ISMAIL, May 16 '17 at 18:40
running this query in mysql actually works? , INSERT INTO `tbl_order` (`order_id`, `cus_id`, `prod_no`, `total_price`, `credit_card_number`, `fname`, `email`, `address`, `phone`, `city`) VALUES (1, 1, 1, '350', '2147483647', '', '', '', '0', ''); — user3005775, May 16 '17 at 18:44
If you'll do the error checking correctly it'll probably reveal a syntax error which can be fixed by using prepared statements. — Jay Blanchard, May 16 '17 at 18:47
you might want to try changing to die('Error inserting new record'); to die($sqlinsert); this will tell you if you are grabbing all of the values correctly from your form — user3005775, May 16 '17 at 18:47
Why not use `die(mysqli_error($connection))` @user3005775? Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). — Jay Blanchard, May 16 '17 at 18:48
@user3005775 i tried what you said and i am getting it correctly — MOHAMMED ISMAIL, May 16 '17 at 18:49
@JayBlanchard this is what i got `You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '`city) VALUES ('80.00', uihiuh', 'kjhiuh', 'iuhiuh', 'ihiuh', 'iuhi', 'iuhiuh')' at line 1` — MOHAMMED ISMAIL, May 16 '17 at 18:50

score 1 · Accepted Answer · answered May 16 '17 at 18:51

1

You missed a single quote in your query just before $cNumber

"INSERT INTO tbl_order (total_price, credit_card_number, fname, email, address, phone, city) 
    VALUES ('$cTotal', '$cNumber', '$cName', '$cEmail', '$cAdress', '$cPhone', '$cCity')"

answered May 16 '17 at 18:51

Aswani Prakash

127
5

wow, your right, don't know how I missed that, anyway, my answer is esentially the same and would have corrected that issue anyway – user3005775 May 16 '17 at 18:53
Let it go @user3005775 ¯\\_(ツ)_/¯ – Jay Blanchard May 16 '17 at 18:55

PHP user input not inserting into a database

1 Answers1