0

I have two tables wallet (table 1) and api (table 2).

Right now I have made the part where I insert the submitted data to my wallet table. This is the code for this specifically:

<?php
   include 'db.php'; 

   if ($_SERVER['REQUEST_METHOD'] == 'POST') {

      $coin = mysqli_real_escape_string($conn, $_REQUEST['coin']);
      $user_coins = mysqli_real_escape_string($conn, $_REQUEST['coins_quantity']);

      $sql = "INSERT INTO wallet (coin, user_coins) VALUES ('$coin', '$user_coins')";
      if ($conn->query($sql)){
          echo "Added successfully.";
      } else{
          echo "ERROR: Could not able to execute $sql. " . mysqli_error($conn);
      }

   }

?>

Where this is my form the code above:

<form method="post">
   <div class="form-group row justify-content-center">
      <label class="col-sm-3 col-form-label">Coin</label>
      <div class="col-sm-6">
         <select class="form-control" name="coin">
             <?php

             $sql = "SELECT name, symbol FROM api";
             $result = $conn->query($sql);

             while ($row = $result->fetch_assoc()) {
                 unset($symbol, $name);
                 $symbol = $row['symbol'];
                 $name = $row['name'];
                 echo '<option value="'.$symbol.'">'.$name.'</option>';
              }
             ?>
         </select>
      </div>
   </div>
   <div class="form-group row justify-content-center">
      <label class="col-sm-3 col-form-label">Coins</label>
      <div class="col-sm-6">
         <input type="number" class="form-control" name="coins_quantity" placeholder="5">
      </div>
   </div>
   <div class="form-group row justify-content-center text-center">
      <div class="col-sm-12">
         <button type="submit" class="btn btn-primary">Add</button>
      </div>
   </div>
</form>

In my table wallet (table 1) I have created columns which are coin, user_coins and coin_price.

While in table api (table 2) I have name, price, symbol and more.

I want to insert data to coin_price in wallet from the price column in the api table, and I want the price from the selected '<option value="'.$symbol.'">'.$name.'</option>';.

How can I do this?

  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Dec 13 '17 at 10:24
  • @RiggsFolly I am a newborn PHP newbie, thank you for sharing the links. I will improve this code =) –  Dec 13 '17 at 10:25
  • Can we just modify your table because I think the coin and coin_price from your wallet table must be on the api table, and you just need to put the coin_id on the wallet table. – Tenten Ponce Dec 13 '17 at 10:32
  • @TentenPonce I understand. I am looking for a solution for this, so if edition of the code comes with it, so be it. –  Dec 13 '17 at 10:36

2 Answers2

1

This is not the most secure way to upload data to a table. You should use prepared statements to insert data using PHP.

https://phpdelusions.net/pdo#dml

Max Opperman
  • 11
  • 1
0

I've found a way. You can:

1.) Put the coin id on the value of the select then,
2.) On your post method, find (where clause) the coin id and get the necessary data you want to insert them to another table.

Tenten Ponce
  • 2,436
  • 1
  • 13
  • 40