-2

I'm trying to make this work but i just can't seem to get it. Basically this is my admin Dish pannel for a online food order website: 1 Dish master page

And this is the page to add a dish: 2 Add Dish Page

when i try to submit the form, it doesn't add the data in the database and doesn't display the dish in the dish master page.

This is my code for dish master page:

<?php 
include('top.php');

if(isset($_GET['type']) && $_GET['type']!=='' && isset($_GET['id']) && $_GET['id']>0){
    $type=get_safe_value($_GET['type']);
    $id=get_safe_value($_GET['id']);
    if($type=='active' || $type=='deactive'){
        $status=1;
        if($type=='deactive'){
            $status=0;
        }
        mysqli_query($con,"update dish set status='$status' where id='$id'");
        redirect('dish.php');
    }

}

$sql="select dish.*,category.category from dish,category where dish.category_id=category.id order by dish.id desc";
$res=mysqli_query($con,$sql);

?>
  <div class="card">
            <div class="card-body">
              <h1 class="grid_title">Dish Master</h1>
              <a href="manage_dish.php" class="add_link">Add Dish</a>
              <div class="row grid_box">
                
                <div class="col-12">
                  <div class="table-responsive">
                    <table id="order-listing" class="table">
                      <thead>
                        <tr>
                            <th width="10%">S.No #</th>
                            <th width="15%">Category</th>
                            <th width="25%">Dish</th>
                            <th width="15%">Image</th>
                            <th width="15%">Added On</th>
                            <th width="20%">Actions</th>
                        </tr>
                      </thead>
                      <tbody>
                        <?php if(mysqli_num_rows($res)>0){
                        $i=1;
                        while($row=mysqli_fetch_assoc($res)){
                        ?>
                        <tr>
                            <td><?php echo $i?></td>
                            <td><?php echo $row['category']?></td>
                            <td><?php echo $row['dish']?></td>
                            <td><?php echo $row['image']?></td>
                            <td>
                            <?php 
                            $dateStr=strtotime($row['added_on']);
                            echo date('d-m-Y',$dateStr);
                            ?>
                            </td>
                            <td>
                                <a href="manage_dish.php?id=<?php echo $row['id']?>"><label class="badge badge-success hand_cursor">Edit</label></a>&nbsp;
                                <?php
                                if($row['status']==1){
                                ?>
                                <a href="?id=<?php echo $row['id']?>&type=deactive"><label class="badge badge-danger hand_cursor">Active</label></a>
                                <?php
                                }else{
                                ?>
                                <a href="?id=<?php echo $row['id']?>&type=active"><label class="badge badge-info hand_cursor">Deactive</label></a>
                                <?php
                                }
                                
                                ?>
                            </td>
                           
                        </tr>
                        <?php 
                        $i++;
                        } } else { ?>
                        <tr>
                            <td colspan="5">No data found</td>
                        </tr>
                        <?php } ?>
                      </tbody>
                    </table>
                  </div>
                </div>
              </div>
            </div>
          </div>
        
<?php include('footer.php');?>

and this is my code for the add dish page:

<?php 
include('top.php');

$msg="";
$category_id="";
$dish="";
$dish_detail="";
$image="";
$id="";

if(isset($_GET['id']) && $_GET['id']>0){
    $id=get_safe_value($_GET['id']);
    $row=mysqli_fetch_assoc(mysqli_query($con,"select * from dish where id='$id'"));
    $category_id=$row['category_id'];
    $dish=$row['dish'];
    $dish_detail=$row['dish_detail'];
    $image=$row['image'];
}

if(isset($_POST['submit'])){
    $category_id=get_safe_value($_POST['category_id']);
    $dish=get_safe_value($_POST['dish']);
    $dish_detail=get_safe_value($_POST['dish_detail']);
    $added_on=date('Y-m-d h:i:s');
    
    if($id==''){
        $sql="select * from dish where dish='$dish'";
    }else{
        $sql="select * from dish where dish='$dish' and id!='$id'";
    }   
    if(mysqli_num_rows(mysqli_query($con,$sql))>0){
        $msg="Dish already added";
    }else{
        if($id==''){
            mysqli_query($con,"insert into dish(category_id,dish,dish_detail,status,added_on,) values('$category_id','$dish','$dish_detail',1,'$added_on,')");
        }else{
            mysqli_query($con,"update dish set category_id='$category_id', dish='$dish', dish_detail='$dish_detail' where id='$id'");
        }
        
        redirect('dish.php');
    }
}
$res_category=mysqli_query($con,"select * from category where status='1' order by category asc")
?>
<div class="row">
            <h1 class="grid_title ml10 ml15">Dish</h1>
            <div class="col-12 grid-margin stretch-card">
              <div class="card">
                <div class="card-body">
                  <form class="forms-sample" method="post">
                    <div class="form-group">
                      <label for="exampleInputName1">Category</label>
                      <select class="form-control" name="category_id">
                          <option value="">Select Category</option required>
                          <?php
                          while($row_category=mysqli_fetch_assoc($res_category)){                           
                                    echo "<option value='".$row_category['id']."'>".$row_category['category']."</option>";  
                          }
                          ?>
                      </select>
                    </div>
                    <div class="form-group">
                      <label for="exampleInputName1">Dish</label>
                      <input type="text" class="form-control" placeholder="Dish" name="dish" value="<?php echo $dish?>" required>
                      <div class="error mt8"><?php echo $msg?></div>
                    </div>
                    <div class="form-group">
                      <label for="exampleInputEmail3" required>Dish Detail</label>
                      <textarea name="dish_detail" class="form-control" placeholder="Dish Details"></textarea>
                    </div>
                    
                    <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
                  </form>
                </div>
              </div>
            </div>
            
         </div>
        
<?php include('footer.php');?>

the data won't show up in the dish master page. what do i do?

edit: here are the relevant databases: dish database category database

jepa
  • 1
  • 2
  • You have a typo in your SQL: `insert ... ,status,added_on,)` - the trailing comma will cause the SQL to fail. Note your `'$added_on,'` *value* also has an extra comment. You really should do some error handling/checking to catch this. And please try to do some basic debugging before posting a question here on SO - eg echoing out your SQL and trying to run it in a MySQL client would have immediately shown you this problem. I'm voting to close as a typo. – Don't Panic Sep 16 '21 at 07:29
  • @Don'tPanic I have removed the commas but it still doesn't save into the database nor display it in the dish master page. Is their something else wrong? – jepa Sep 16 '21 at 08:49
  • Did you try what I suggested to debug the SQL? What other debugging have you tried? If you look in your browser's devtools, and check the network tab, can you see the POST happening? Are all the fields you expect there? How about on the PHP side - have you tried logging or echoing things out to make sure the flow is proceeding as you expect, and the variables you are using are set as expected? – Don't Panic Sep 16 '21 at 09:19
  • @Don'tPanic I used php in order to echo `select * from category where status='1' order by category asc`. i then put this query into the phpmyadmin SQL tab but it still isn't working. – jepa Sep 16 '21 at 09:43
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 16 '21 at 10:05
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Sep 22 '21 at 15:39

1 Answers1

-1

Your form is missing the action and method attributes. So currently whatever information you submit is being sent nowhere, hence it's not getting recorded in your DB.

Here's some information about how to setup a proper form: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form

Additionally, your code is vulnerable to SQL injection attacks. I strongly recommend you switch to prepared statements or use a helper class such as this one: https://github.com/colshrapnel/safemysql

Ivan
  • 1,274
  • 16
  • 22