0

I'm trying to insert the current logged in users username and the bid they requested into the issue_book database but when I hit the reserve button the message "Book Reserved Successfully" appears but when I check phpMyAdmin nothing appears in the database. Can anyone help me with this please.

<?php
include "footer.php";
include "connection.php";
session_start();
?>

<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>

<div class= "book-header" style = "padding-top: 2%; padding-left: 1%">
<h2 style = "color: white;">Reserve a Book</h2>
</div>


<div class = "srch" style = "padding-top: 1%; padding-bottom: 1%; padding-left: 1%;">
    
            <form class = "search-button" method = "post" name = "form1">
        <div>
            <input style= "height: 50px;" class = "" type = "text" name = "bid" placeholder = "Enter Book ID" >
            <button style = "background-color: #5db4cb; border: 0; padding: 15px; width: 10%;  font-family: sans-serif; color: #ffffff; font-size: 14px; -webkit-transition: all 0.3 ease; transition: all 0.3 ease; cursor: pointer;" 
            type = "submit" name = "submit1" class = "btn-default">Reserve</button>
       </div>
</div>


<?php
if(isset($_POST['submit1']))
 {
if(isset($_SESSION['login_user']))
{
    mysqli_query($db, "INSERT INTO `issue_book` VALUES('$_SESSION[login_user]', '$_POST[bid]');");

    ?>
     <script type = "text/javascript">
     alert("Book Reserved Successfully");
     </script>
     <?php
}
else{
    ?>
    <script type = "text/javascript">
    alert("Need To Login");
    </script>
    <?php
 }
 }
 ?>




<!-- Book Table -->

<?php
$result = mysqli_query($db, "SELECT * FROM books ORDER BY books . name ASC"); // Orders book by name
?>

<table class = 'table table-bordered '>
<tr style='background-color: #abb79b; color: white;'>
    <th>ID</th>
    <th>Book-Name</th>
    <th>Author-Name</th>
    <th>Edition</th>
    <th>Status</th>
    <th>Quantity</th>
    <th>Department</th>
</tr>
<?php

while ($row = mysqli_fetch_assoc($result)) {
?>
<tr style = 'background-color: white;'>
    <td><?php echo $row['bid'] ?></td>
    <td><?php echo $row['name'] ?></td>
    <td><?php echo $row['authors'] ?></td>
    <td><?php echo $row['edition'] ?></td>
    <td><?php echo $row['status'] ?></td>
    <td><?php echo $row['quantity'] ?></td>
    <td><?php echo $row['department'] ?></td>
 </tr>
 <?php
}
?>
</table>

</body>
</html>

I think the reason behind the username and bid not inserting into the database might be to do with the query. But I cant see where I have gone wrong so any help would be very appreciated.

DJ Dog
  • 1
  • 4
  • Side notice, you are open to [SQL injection](https://www.php.net/manual/en/security.database.sql-injection.php) and should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) before executing them. – Skully Nov 21 '21 at 23:58
  • Looks like the array indexes within the string are missing quotes. Check the webserver error log, there may be notices about the situation. Strongly advise to do what the previous comment suggests, makes the query less verbose too, and helps avoid quoting-related issues. – Paul T. Nov 21 '21 at 23:59
  • @PaulT. Where am I missing the quotes exactly? And yes I will add prepared statements as well – DJ Dog Nov 22 '21 at 00:05
  • `$_SESSION[login_user]` => `$_SESSION['login_user']`, same with the `$_POST` index. – Paul T. Nov 22 '21 at 00:06
  • @PaulT. That just give me an syntax error. – DJ Dog Nov 22 '21 at 00:11
  • It might, likely because of the other single quotes, which how parameterized would help. That portion of the string would need to be: `VALUES('{$_SESSION['login_user']}', '{$_POST['bid']}')` no `;` is needed at the end. – Paul T. Nov 22 '21 at 00:17
  • Thanks @PaulT. I tried that and still no change. Still not adding anything to the database. Very annoying and weird. – DJ Dog Nov 22 '21 at 00:23
  • Assign the values from the $_Session array to variable, then put those into the query – anthony_718 Nov 22 '21 at 00:26
  • Try this with the insert: `if (!mysqli_query($db, "INSERT INTO \`issue_book\` VALUES('{$_SESSION['login_user']}', '{$_POST['bid']}')")) { echo mysqli_error($db); }` to see if it shows anything. (I forgot the echo previously) – Paul T. Nov 22 '21 at 00:51
  • @PaulT. you don't need array index quotes when used with a double-quoted string. PHP is weird that way... `echo "No problems $array[here]";` – Phil Nov 22 '21 at 00:52
  • @Phil ... ok thanks, I learned something new. I've always used quotes with my indexes. – Paul T. Nov 22 '21 at 00:55
  • @Phil Can you please explain to me what I should do instead? – DJ Dog Nov 22 '21 at 01:40
  • 1
    You never check the result of `mysqli_query()`, it's probably failing. Follow the instructions in the post linked at the top of your question to find out what's going wrong – Phil Nov 22 '21 at 01:42

0 Answers0