0

I am having an issue where I insert the record and it gets inserted also email part works but when confirmation page shows it only shows last record in the array 3 times. I figured putting it in for loop well show all the records. I am not sure what I am doing wrong will keep figuring out the issue.

process_insert.php 

<html>
    <head>
    <title></title>
    </head>
    <body>
    <?php
        ini_set('display_errors', 1);
    error_reporting(~0);

    $serverName = "localhost";
    $userName = "root";
    $userPassword = "";
    $dbName = "blog_samples";

    $conn = mysqli_connect($serverName,$userName,$userPassword,$dbName);

    $rows_count = count($_POST["name"]);

    $message = '';

    for($i=0;$i<$rows_count;$i++){

        // PREVENTING SQL INJECTION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

        $employee_name = mysqli_real_escape_string($conn,$_POST["employee_name"][$i]);
        $name = mysqli_real_escape_string($conn,$_POST["name"][$i]);
        $code = mysqli_real_escape_string($conn,$_POST["code"][$i]);
        $quantity = intval($_POST["quantity"][$i]);
        $price = mysqli_real_escape_string($conn,$_POST["price"][$i]);


        $sql = "INSERT INTO order_table ( employee_name, name, code, quantity, price) 
            VALUES ('$employee_name', '$name', '$code', '$quantity', '$price')";

        $query = mysqli_query($conn,$sql);


        if(mysqli_affected_rows($conn)>0) {


                $message .=

                "employee_name: " . $employee_name . " 

                " ."name: ".  $name ." 

                ". "code: " . $code . " 

                " ."quantity: ".  $quantity . " 

                ". "price: " . $price . "";
        }

    }

    if ( ! empty($message)) {
        $to = "xgrh@gmail.com";
        $subject = "Supplies";
        $headers = "From: user@gmail.com"; 

        mail($to,$subject,$message,$headers); 
    }


    ?>



    <h1 align="center">Supply Request Confirmation</h1>
    <p align="center">Thank you, <?php echo $employee_name; ?><br><br>
        Your request has been sent. 
        Please print this page out for your copy.</p>

    <div align="center">
        <h2>Request Information</h2>
    </div>
    <table style="width: 45%" align="center">
        <tr>
            <td class="style">Date Request: <?php $date = new DateTime();
    echo $date->format('m/d/Y H:i:s') . "\n";  ?></td>
        </tr>



        <?php for($i=0;$i<$rows_count;$i++){?>


        <tr>
            <td class="style">name: <?php echo $name; ?></td>
        </tr>
        <tr>
            <td class="style">  code: <?php echo $code;  ?></td>
        </tr>
        <tr>
            <td class="style">  Quantity: <?php echo $quantity;  ?></td>
        </tr>
        <tr>
            <td class="style">  price: <?php echo $price;  ?></td>
        </tr>

        <?php } ?>
    </table>


    <div align="center"><button onClick="window.print()">Print this page</button></div>
    </body>
    </html>
Donny
  • 738
  • 7
  • 23
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). Accidentally unescaped data is a serious risk. Using bound parameters is less verbose and easier to review to check you’re doing it properly. – tadman Aug 30 '17 at 23:11
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…”)` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Aug 30 '17 at 23:11
  • already know I am changing it after I figure this part I will be writing this in prepared statements thank you – Donny Aug 30 '17 at 23:15
  • Since you're having problems it's best to do that now, as it can probably fix a lot of problems out of the gate and save you trouble later. A lot of problems can be detected and resolved by [enabling exceptions in `mysqli`](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so mistakes aren't easily ignored. You're assuming everything here works out without issues, and you could be wrong. – tadman Aug 30 '17 at 23:33

1 Answers1

1

This occurs because the variables $name, $code, $amount, and $price have the last values of your $_POST. You can use the $_POST values of the last cycle or create a variable with this values.

Try this instead:

<html>
<head>
<title></title>
</head>
<body>
<?php
    ini_set('display_errors', 1);
error_reporting(~0);

$serverName = "localhost";
$userName = "root";
$userPassword = "";
$dbName = "blog_samples";

$conn = mysqli_connect($serverName,$userName,$userPassword,$dbName);

$rows_count = count($_POST["name"]);

$message = '';
$data = array();

for($i=0;$i<$rows_count;$i++){

    // PREVENTING SQL INJECTION !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    $employee_name = mysqli_real_escape_string($conn,$_POST["employee_name"][$i]);
    $name = mysqli_real_escape_string($conn,$_POST["name"][$i]);
    $code = mysqli_real_escape_string($conn,$_POST["code"][$i]);
    $quantity = intval($_POST["quantity"][$i]);
    $price = mysqli_real_escape_string($conn,$_POST["price"][$i]);

    array_push($data, array(
        'employee_name' => $employee_name,
        'name' => $name,
        'code' => $code,
        'quantity' => $quantity,
        'price' => $price,

    ));
    $sql = "INSERT INTO order_table ( employee_name, name, code, quantity, price) 
        VALUES ('$employee_name', '$name', '$code', '$quantity', '$price')";

    $query = mysqli_query($conn,$sql);


    if(mysqli_affected_rows($conn)>0) {


            $message .=

            "employee_name: " . $employee_name . " 

            " ."name: ".  $name ." 

            ". "code: " . $code . " 

            " ."quantity: ".  $quantity . " 

            ". "price: " . $price . "";
    }

}

if ( ! empty($message)) {
    $to = "xgrh@gmail.com";
    $subject = "Supplies";
    $headers = "From: user@gmail.com"; 

    mail($to,$subject,$message,$headers); 
}


?>



<h1 align="center">Supply Request Confirmation</h1>
<p align="center">Thank you, <?php echo $employee_name; ?><br><br>
    Your request has been sent. 
    Please print this page out for your copy.</p>

<div align="center">
    <h2>Request Information</h2>
</div>
<table style="width: 45%" align="center">
    <tr>
        <td class="style">Date Request: <?php $date = new DateTime();
echo $date->format('m/d/Y H:i:s') . "\n";  ?></td>
    </tr>



    <?php foreach ($data as $value) {?>


    <tr>
        <td class="style">name: <?php echo $value['name']; ?></td>
    </tr>
    <tr>
        <td class="style">  code: <?php echo $value['code'];  ?></td>
    </tr>
    <tr>
        <td class="style">  Quantity: <?php echo $value['quantity'];  ?></td>
    </tr>
    <tr>
        <td class="style">  price: <?php echo $value['price'];  ?></td>
    </tr>

    <?php } ?>
</table>


<div align="center"><button onClick="window.print()">Print this page</button></div>
</body>
</html>
Nuno Silva
  • 26
  • 1