0

I have The following form inputs I am trying to send these input data to "placebet.php" then retrieve the data and add a confirm or cancel button, then It can add to the database

  <form action="placebet.php" method="post">

    <div id="box" class="boxlit">
      
      <div class="box" data-id="0">Myanmar - Vietnam<br>Home [1]<div class="crtTotal">4.30</div>
      <input type="hidden" name="kickoff[]" value="7/17/2022 10:00">
      <input type="hidden" name="match[]" value="Myanmar - Vietnam">
      <input type="hidden" name="result[]" value="Home [1]" readonly="">
      <input type="hidden" name="value[]" value="4.30"></div>
      
      <div class="box" data-id="4">Thailand - Philippines<br>Draw [2]<div class="crtTotal">3.20</div>
      <input type="hidden" name="kickoff[]" value="7/17/2022 13:30">
      <input type="hidden" name="match[]" value="Thailand - Philippines">
      <input type="hidden" name="result[]" value="Draw [2]" readonly="">
      <input type="hidden" name="value[]" value="3.20"></div>
      
      <div class="box" data-id="11">Botswana - Cameroon<br>Away [3]<div class="crtTotal">1.35</div>
      <input type="hidden" name="kickoff[]" value="7/17/2022 22:00">
      <input type="hidden" name="match[]" value="Botswana - Cameroon">
      <input type="hidden" name="result[]" value="Away [3]" readonly="">
      <input type="hidden" name="value[]" value="1.35"></div></div><br>
  
    <input type="hidden" name="account[]" value="0818054386" readonly="">
  
    <input type="hidden" name="balance[]" value="20" readonly="">
  
    <input type="hidden" id="todds" name="todds[]" value="18.58" readonly="">
  
    <input type="hidden" id="inp" name="payout[]" value="92.90" readonly="">
  
  
    <div>Total Odds: <b id="ct1">18.58</b></div><br>
  
    <div>(N$)Stake: <input id="stake" type="number" name="stake[]" value="5"> NAD</div><br>
  
    <div>Payout: N$ <b id="payout">92.90</b></div>
  
    <input class="bet1" type="submit" name="submit" value="Bet">
  
  </form>

Php code in "placebet.php"

I'm not sure if the code below is correct but I need it to show the input data from the form and give me a option to confirm the data(button) and then it can finally add to the database


<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$link = mysqli_connect("localhost", "root", "", "forms");
$dba = mysqli_connect("localhost","root","","login");



// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
 
$error = false; //set the error status value
$error_msg = "";
$back = mysqli_real_escape_string($link, $_REQUEST['kickoff'][0]);
$total = count($back); // get the length of the match 

for($i=0;$i<$total;$i++){

// Escape user inputs for security

 $kickoff =  mysqli_real_escape_string($link, $_REQUEST['kickoff'][$i]);
 $match =  mysqli_real_escape_string($link, $_REQUEST['match'][$i]);
 $selection = mysqli_real_escape_string($link, $_REQUEST['result'][$i]);
 $odd =  mysqli_real_escape_string($link, $_REQUEST['value'][$i]);
 $account =  mysqli_real_escape_string($link, $_REQUEST['account'][0]);
 $stake = mysqli_real_escape_string($link, $_REQUEST['stake'][0]);
 $payout = mysqli_real_escape_string($link, $_REQUEST['payout'][0]);
 $todds = mysqli_real_escape_string($link, $_REQUEST['todds'][0]);
 $accabal = mysqli_real_escape_string($link, $_REQUEST['balance'][0]);


//run sql query for every iteration

$charge = mysqli_query($dba, "UPDATE users SET balance = $accabal- $stake WHERE username='".$_SESSION['username']."'") ;
$_SESSION["balance"] =  $accabal- $stake ;

 
$date = date ('Ymd');

        $create = mysqli_query($link,"CREATE TABLE R$date  LIKE receipts") ;

        $insert = mysqli_query($link,"INSERT INTO `R$date`(`Match`, `Selection`, `Odd`,`Account`,`Stake Amount`,`Payout`,`Total Odds`) VALUES ('$match','$selection','$odd','$account','$stake','$payout','$todds')");
    
        if(!$insert)
        {
            $error = true;
            $error_msg = $error_msg.mysqli_error($link);            
        }
  
      
  
    //check your error status variable and show your output msg accordingly.
    if($error){
        echo "Error :".$error_msg;
    }else{
    


        header("location: index.php");
        exit;
    }
  
}
  mysqli_close($db);

?>
Nambuli89
  • 35
  • 5
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Jul 21 '22 at 13:02
  • You're creating a heap of tables here for no reason, this severely contradicts how relational data should be stored. One table with indexes will perform better. For large scale data, consider partitioning or horizontal sharding, *not this*. – tadman Jul 21 '22 at 13:07

1 Answers1

1

What you want to do isn't redirect to index.php, cause with this you start a new request and cant point on the request data of placebet.php anymore.

You want either to send your form via javascript ajax request and then react to the response of placebet.php (https://www.w3schools.com/js/js_ajax_intro.asp) or generating your own new output at placebet.php which then can be a confirm page or something similar.

e.g.

if($error){
    echo "Error :".$error_msg;
}else{
    echo "Data has been stored!";
}

You also could put your html at the end of the php file after closing the php part with ?> like mentioned here https://www.thoughtco.com/php-with-html-2693952#:~:text=As%20you%20can%20see%2C%20you,re%20inside%20the%20PHP%20tags).

dnaumann
  • 444
  • 3
  • 13