0

I have been trying to get this to work for a while now, I'm trying to get my web app to write to my Azure database. I currently have this code as my html form:

<form method="get" id="form1" action="../Scripts/addproduct.php">
    <table class="add-table">
        <tr>
            <!--Product ID field-->
            <td>Product ID</td>
            <td><input id="PID" type="number" style="width: 100%;"></td>
        </tr>
        <tr>
            <!--Product Name field-->
            <td>Product Name</td>
            <td><input id="PName" type="text" style="width: 100%;"></td>
        </tr>
        <tr>
            <!--Product Catagory field-->
            <td>Product Catagory</td>
            <td><input id="PCat" type="text" style="width: 100%;"></td>
        </tr>
        <tr>
            <!--Product Price field-->
            <td>Product Price</td>
            <td><input id="PPrice" type="text" style="width: 100%;"></td>
        </tr>
    </table>
    <!--Submit button-->
    <input id="Submit1" type="submit" value="Submit" />
</form>

This is the code in my PHP file: (personal info replaced with hashtags)

<?php
    $username = "##";
    $password = "##";
    $database = "##";
    $servername = "tcp:##,1433";

    $conn = new PDO($servername, $database, $username, $password);

    // Assigns the value of the form elements to a PHP value

    $productid = $_GET["PID"];
    $productname = $_GET["PName"];
    $productcatagory = $_GET["PCat"];
    $productprice = $_GET["PPrice"]; 

    $sql = "INSERT INTO Products VALUES ('$productid', '$productname', '$productcatagory', '$productprice')";

    exit()
?>

Any help would be appreciated! EDIT: Forgot to add my insert code

Swikruti Bose
  • 158
  • 6
Cameron Ferns
  • 1
  • 2
  • Why are you using method GET? – alanfcm Apr 20 '18 at 21:23
  • You have no code that actually does an insert or update. Where is that code? – gview Apr 20 '18 at 21:24
  • Also your server connect string looks wrong for sql server in azure. Did you look at this page? http://php.net/manual/en/ref.pdo-sqlsrv.connection.php – gview Apr 20 '18 at 21:25
  • whoops sorry I forgot to put my sql statement in there! – Cameron Ferns Apr 20 '18 at 21:27
  • I based the connection string off the connection strings on the azure portal, so assumed it was the right one – Cameron Ferns Apr 20 '18 at 21:30
  • **Your code is vulnerable to SQL injection and will be hacked** even if [you are escaping inputs!](https://stackoverflow.com/a/5741264/2595450) Use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. Check: [How can I prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Spoody Apr 20 '18 at 22:00
  • execute the query and check. if you written that then add it in question – prasanna puttaswamy Apr 21 '18 at 05:03

0 Answers0