form and database

Question

i am trying to create a database value from the values submited, and inserting in the same database. the value i am creating is $tprice = '$Price' * '$Pquantity'; in code below, but it is not inserting

<?php
$submit = $_POST['Add'];

//form data
$Sname = mysql_real_escape_string(htmlentities(strip_tags($_POST['Sname'])));
$Pname = mysql_real_escape_string(htmlentities(strip_tags($_POST['Pname'])));
$Pidno = mysql_real_escape_string(htmlentities(strip_tags($_POST['Pidno'])));
$Psize = mysql_real_escape_string(htmlentities(strip_tags($_POST['Psize'])));
$Pcolour = mysql_real_escape_string(htmlentities(strip_tags($_POST['Pcolour'])));
$Pquantity = $_POST['Pquantity'];
$Weblink = mysql_real_escape_string(htmlentities(strip_tags($_POST['Weblink'])));
$Price = mysql_real_escape_string(htmlentities(strip_tags($_POST['Price'])));
$date = date("Y-m-d");


echo " ('','$Sname','$Pname','$Pidno','$Psize','$Pcolour','$Pquantity','$Weblink','$Price','$Uname')";
if('POST' === $_SERVER['REQUEST_METHOD'])

{
    if ($Sname&&$Pname&&$Pidno&&$Weblink&&$Price)
    {
        if (is_numeric($Price))
        {
            $repeatheck = mysql_query("SELECT * FROM repplac WHERE Uname = '{$_SESSION['username']}' AND Pidno ='$Pidno' AND Sname='$Sname'");
            $count = mysql_num_rows($repeatheck);
            if($count!=0)
            {
                die ('PRODUCT ALREADY IN BASKET YOU CAN INCREASE OR DECREASE QUANTITY');
            }
            else
//echo'$Price';
                $tprice = '$Price' * '$Pquantity';
            //echo"$tprice";
            $queryreg = mysql_query("
INSERT INTO repplac VALUES ('','$Sname','$Pname','$Pidno','$Psize','$Pcolour','$Pquantity','$Weblink','$Price','$tprice','$date','{$_SESSION['username']}')
");
        }
        else
            echo 'price field requires numbers';
    }
    else
        echo 'please fill in all required * fields ';
}
?>

Welcome to Stack Overflow! You are not doing any error checking in your query, so it's no wonder you don't get any information when it fails. You *need* to check for errors after a `mysql_query()` call. How to do this is outlined in the [manual on `mysql_query()`](http://php.net/mysql_query) or in this [reference question.](http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension) — Pekka, Feb 14 '12 at 11:30
Also, "it doesn't work" is never a good error description. What exactly goes wrong where? What errors do you get? — Pekka, Feb 14 '12 at 11:31
firstly when i echo the value of $tprice it comes out as $tprice, so i was wondering why, but it is actually catching the individual values — lostty84, Feb 14 '12 at 11:36
when i insert the values the $tprice value is not inserted into $queryreg = mysql_query(" INSERT INTO repplac VALUES ('','$Sname','$Pname','$Pidno','$Psize','$Pcolour','$Pquantity','$Weblink','$Price','$tprice','$date','{$_SESSION['username']}') ")or die(mysql_error()); — lostty84, Feb 14 '12 at 11:41

score 1 · Accepted Answer · answered Feb 14 '12 at 11:44

This line:

$tprice = '$Price' * '$Pquantity';

won't work: It will try to multiply the literal strings $Price and $Pquantity (because in strings with single quotes, variable names are not interpreted.)

Just lose the quotes altogether:

$tprice = $Price * $Pquantity;

additional notes:

You should make sure that $Pquantity is an integer. Otherwise, people may be able to hack your prices by specifying 0.1
The strip_tags() and htmlentities() calls when sanitizing are overkill. I would not use either, and do a htmlentities() when outputting the data.

form and database

1 Answers1