-3

I set up an HTML with a form that would send the information over to a PHP page. Then the PHP would run through it and send it to my DB. I set it the database up in cPanel. I have another part to the code that searches for the item and that works. I just don't get why the query statement in this isn't pulling the information.

The error that I get is "An error has occurred. The item was not added." which I have set up after the query line. I can't seem to figure out why.

Here is the code:

html:

  <form action="insert_product.php" method="post">
    <table border="0">
      <tr>
        <td>ShoeName</td>
         <td><input type="text" name="ShoeName" maxlength="13" size="13"></td>
      </tr>
      <tr>
        <td>Price</td>
        <td> <input type="text" name="Price" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>ProductID</td>
        <td> <input type="text" name="ProductID" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>Size</td>
        <td><input type="text" name="Size" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>ShoeType</td>
        <td><input type="text" name="ShoeType" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>Brand</td>
        <td><input type="text" name="Brand" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>Color</td>
        <td><input type="text" name="Color" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>Rating</td>
        <td><input type="text" name="Rating" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>Description</td>
        <td><input type="text" name="Description" maxlength="40" size="40"></td>
      </tr>
      <tr>
        <td>ImageName</td>
        <td><input type="text" name="ImageName" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td>StockAmount</td>
        <td><input type="text" name="StockAmount" maxlength="7" size="7"></td>
      </tr>
      <tr>
        <td colspan="2"><input type="submit" value="Register"></td>
      </tr>
    </table>

php:

<?php
  // create short variable names
  $ShoeName=$_POST['ShoeName'];
  $Price=$_POST['Price'];
  $ProductID=$_POST['ProductID'];
  $Size=$_POST['Size'];
  $ShoeType=$_POST['ShoeType'];
  $Brand=$_POST['Brand'];
  $Color=$_POST['Color'];
  $Rating=$_POST['Rating'];
  $Description=$_POST['Description'];
  $ImageName=$_POST['ImageName'];
  $StockAmount=$_POST['StockAmount'];

  if (!$ShoeName || !$Price || !$ProductID || !$Size || !$ShoeType || !$Brand || !$Color || !$Rating || !$Description || !$ImageName || !$StockAmount) {
     echo "You have not entered all the required details.<br />"
          ."Please go back and try again.";
     exit;
  }

  if (!get_magic_quotes_gpc()) {
    $ShoeName = addslashes($ShoeName);
    $Price = doubleval($Price);
    $ProductID = addslashes($ProductID);
    $Size = addslashes($Size);
    $ShoeType = addslashes($ShoeType);
    $Brand = addslashes($Brand);
    $Color = addslashes($Color);
    $Rating = doubleval($Rating);
    $Description = addslashes($Description);
    $ImageName = addslashes($ImageName);
    $StockAmount = doubleval($StockAmount);
  }

  @ $db = new mysqli('localhost', 'admin', '(pass)', 'KicksUnlimited');

  if (mysqli_connect_errno()) {
     echo "Error: Could not connect to database.  Please try again later.";
     exit;
  }

  $query = "INSERT INTO product".'(ShoeName, Price, ProductID, Size, ShoeType, Brand, Color, Rating, Description, ImageName, StockAmount)'."values
            ('".$ShoeName."', '".$Price."', '".$ProductID."', '".$Size."', '".$ShoeType."', '".$Brand."', '".$Color."', '".$Rating."', '".$Description."', '".$ImageName."', '".$StockAmount."')";
  $result = $db->query($query);

  if ($result) {
      echo  $db->affected_rows." shoe inserted into database.";
  } else {
      echo "An error has occurred.  The item was not added.";
  }

  $db->close();
?>
gcop
  • 35
  • 5
  • 4
    Please note that the way you're building your query is unsafe. You're open to [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – El_Vanja Nov 22 '20 at 21:28
  • 3
    Here's a thorough [tutorial](https://stackoverflow.com/a/22662582/4205384) on debugging db related problems. – El_Vanja Nov 22 '20 at 21:28
  • 1
    Missing parenthesis before "values". This code is vulnerable to SQL Injection. – Felippe Duarte Nov 22 '20 at 21:28
  • 1
    Im not worried about SQL Injection right now as this isnt going to be a live site. Just a test project right now. – gcop Nov 22 '20 at 21:31
  • 4
    Prepared statements not only protect your code from vulnerabilities, they also make adding parameters easier, because a) your query will be more readable without all the concatenation and b) it takes care of any necessary quoting of the parameters. As for your troubles, you should be seeing an error. Read the linked answer in my second comment to guide you on that. – El_Vanja Nov 22 '20 at 21:45
  • 2
    In order to know which error you have, the first step is to display the SQL error message – dimasdmm Nov 22 '20 at 21:58
  • Thanks everyone, Im going to research prepared statements and learn how to use them. – gcop Nov 22 '20 at 23:23
  • echo("Error description: " . $db -> error); would be a handy statement to add so you can see why the sql did not work – MortimerCat Nov 23 '20 at 07:21

1 Answers1

-1

Test:

  1. type query in cpanel with values not variable.
  2. Use print $ShoeName=$_POST['ShoeName']; in front of every $_POST[] and on the end print exit; It is to control that value coming from Form.
  3. Comment all between variables $_POST[] and INSERT INTO .....
  4. Control quote. It is mess of quote, double, single, it does not need. And control if it is need quote around every values.

Sorry, I have not time to do all that for to find for sure error.
Do it yourself because it is the best way of learning.

b2ok
  • 544
  • 6
  • 13