-2

I've been trying to make a payment page where after adding sufficient information, the order is taken with the items in the cart. for some reason, my code isn't responding and is showing a blank screen. I am relatively new to PHP. could anyone help me out? Here is the code below:-

<?php
    require_once('../connection.php');
    require_once('../product.php');
    session_start();

    $name = $_POST['name'];
    $email = $_POST['email'];
    $address = $_POST['address'];

    if(isset($_POST['payment-made'])){
        if(empty($name) || empty($email) || empty($address)){
            echo "<script>alert('Please enter the complete information!');
            window.location = 'orders.inc.php';</script>";
        } else {
            if(isset($_SESSION['Uid'])){
                if(isset($_SESSION['cart'])){
                    $product_id = array_column($_SESSION['cart'], 'product_id');       
                    $result = mysqli_query($conn,"SELECT * FROM `products`");        
                    while($row = mysqli_fetch_assoc($result)){
                        foreach($product_id as $id){
                            if($row['product_id']==$id){
                                $ordername = $row['item_name'];
                                $nooforder = 1;
                                $sql1 = "INSERT INTO orders(order_name, no_order, cust_name, del_add) 
                                VALUES ('$ordername', '$nooforder', '$name', '$email', '$address');";

                                $done = mysqli_query($conn, $sql1);
                                if($done){
                                    echo "successful";
                                }
                                else{
                                    ini_set('display_errors', '1');
                                    ini_set('display_startup_errors', '1');
                                    error_reporting(E_ALL);
                                }
                            }
                        }
                    }
                }
            }
        }
    }

?>

I have doubts the problem lies within the $ordername variable. Could anyone clarify what's causing the problem and how to solve it?

Davis Johnson
  • 99
  • 7
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 28 '20 at 14:51
  • If your `payment-made` form variable is not set, that would result in a blank screen as you don't echo any error. Equally, if your INSERT query doesn't work, you don't display any message to say that it failed. I believe that setting the PHP error reporting _after_ the errors won't report them. – droopsnoot Aug 28 '20 at 14:58

1 Answers1

0

Your INSERT query names four columns, but provides five variables to insert.

droopsnoot
  • 931
  • 1
  • 7
  • 11