0

For a school project I am trying to write to a table called enrolment where the student number and the course they have selected are added after they have been tested to make sure the student name and number exists in another database. No errors are coming up, however when I check my database afterward enrolment says its an empty set. Does anyone have suggestions?

<?php

require 'connect.php';

//making a variable from the user data
$name = $_POST["name"];
$number = $_POST["snumber"];
$course = $_POST["pcourse"];

//linking up the database
$link = mysqli_connect(HOST, USER, PASS, DB) or die (mysqli_connect_error());

// select all from table student which show student name and number
$squery = "SELECT * FROM student";
$sresult = mysqli_query($link, $squery);

$found = 0;

while ($srow = mysqli_fetch_array($sresult)) {

    // testing if the student name and number match the users data
    if ($name == $srow['family'] && $number == $srow['uid']) {

        $enrol = "INSERT INTO enrolment (uid course) VALUES('$number' '$course')";
        $found = 1;
        break;
    }
}
mysqli_close($link);

?>

<html>
    <body>
        <form action="index.php" method="post">
            <br>
            <input type = "submit" value="back" name="back">
        </form>
    </body>
</html>

index.php (form)

<!DOCTYPE html>
<html>
  <body>
    <h1>Course Selection</h1><br>


    <form action="next.php" method="post">


              Name: <input type="text" name="name" placeholder="Name" required="required" maxlength="50">
              <br><br>

              Student Number: <input type="text" name= "snumber" required="required" maxlength="9">
              <br><br>

        <?php
        //form
      require 'connect.php';

       echo "Select a course: <select name = \"pcourse\">\n";

      $link = mysqli_connect(HOST, USER, PASS, DB) or die(mysqli_connect_error());

      $query = "SELECT * FROM course";
      $result = mysqli_query($link, $query);

      while ($row = mysqli_fetch_array($result)) {
        echo "<option> $row[code] $row[name] $row[maxenroll]</option><br>";
      }

      mysqli_free_result($results);

      mysqli_close ($link);

      echo " </select>\n";


      ?>

      <br><br>
      <input type = "submit" value="submit" name= "submit">

    </form>

    </body>
    </html>
bldb
  • 21
  • 1
  • 6
  • I don't understand the point of the SELECT – Strawberry Dec 08 '17 at 14:50
  • 1
    thank you for shadowing your password and username, I'm so happy I got to find it on at least 1 PHP question – omkaartg Dec 08 '17 at 14:51
  • Where are you collecting user data from , you don't have any input from HTML – omkaartg Dec 08 '17 at 14:53
  • 1
    You're not executing any insert query; just creating a string called `$enrol` – Mark Baker Dec 08 '17 at 14:53
  • 1
    `(uid course)` and `('$number' '$course')` should be comma-seperated – Michel Dec 08 '17 at 14:53
  • 1
    Check this for making your insert statement secure: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496 – Adder Dec 08 '17 at 14:54
  • 1
    And why are you selecting every record from the student table? Haven't yu ever seen a WHERE clause in a SQL query? – Mark Baker Dec 08 '17 at 14:54
  • 3
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Dec 08 '17 at 14:55

2 Answers2

0

Your insert code just a string. You should send to mysql your insert code. Try this

$enrol = "INSERT INTO enrolment (uid, course) VALUES($number, $course)";
$link->query($enrol);
olgundutkan
  • 406
  • 2
  • 17
-2

My guess is that when checking the result set from student table - there is no such family and uid in it, which means - in the table. Instead of doing insert right away, try to display matching record from the database - if this is actually what you wanted to find. Then you can check what is actually stored in the database - and you can compare both.
Other thing is - why not limit select to exact that student?
Rebuild your query, something like:
$squery = "select * from student where family='".$name."' and uid='".$number."'".
Then you can check how many records were selected and display that number before doing any inserts.

Jarek Jóźwik
  • 77
  • 7