RequiemEternum February 2016

PHP SQL Insert text value into database

I am working on an online shopping cart project, which requires me to be able to add a custom text input field to each item that is added to the shopping cart. However, when I attempt to insert the information for each item in the card into a database, I cannot figure out how to pass the itemtext value into my INSERT statement. How would I go about being able to pass the itemtext value from the initial item list into my database for Orderitems? The itemtext input is on line 170, and I want to pass it into the INSERT statement seen on line 83.

<?php
session_start();
$user =  $_SESSION['user'];
if(!isset($user)) {
	header("Location:userlogin.php");
}
$cart = $_COOKIE['WSC'];

if(isset($_POST['clear'])) {
	$expire = time() -60*60*24*7*365;
	setcookie("WSC", $cart, $expire);
	header("Location:order.php");
}
if($cart && $_GET['id']) {
	$cart .= ',' . $_GET['id'];
	$expire = time() +60*60*24*7*365;
	setcookie("WSC", $cart, $expire);
	header("Location:order.php");
}
if(!$cart && $_GET['id']) {
	$cart = $_GET['id'];
	$expire = time() +60*60*24*7*365;
	setcookie("WSC", $cart, $expire);
	header("Location:order.php");
}
if($cart && $_GET['remove_id']) {
	$removed_item = $_GET['remove_id'];
	$arr = explode(",", $cart);
	unset($arr[$removed_item-1]);
	$new_cart = implode(",", $arr);
	$new_cart = rtrim($new_cart, ",");
	$expire = time() +60*60*24*7*365;
	setcookie("WSC", $new_cart, $expire);
	header("Location:order.php");
}

if(isset($_POST['PlaceOrder'])) {
	$email = $user;
	$orderdate = date('m/d/Y');
	$ordercost = $_POST['ordercost'];
	$ordertype = $_POST['ordertype'];
	$downcost = $_POST['downcost'];
	$cardtype = $_POST['cardtype'];
	$cardnumber = $_POST['cardnumber'];
	$cardsec = $_POST['cardsec'];
	$cardexpdate = $_POST['cardexpdate'];
	$orde        

Answers


Bob van Luijt February 2016

Update: This is your answer: change '$itemtext[itemnumber]' into '$itemtext'

This is going wrong because of the way you use quotes. (not the answer but you might want to think about it ;-) )

$sql = "INSERT INTO Orders (email, orderdate, ordercost, ordertype, downcost, cardtype, cardnumber, cardsec, cardexpdate, orderstatus)
        VALUES ('$email', '$orderdate', '$ordercost', '$ordertype', '$downcost', '$cardtype', '$cardnumber', '$cardsec', '$cardexpdate', '$orderstatus')";

You should not use '$email' but -for example- ...VALUES ('".$email."',...

Learn more about this here: What is the difference between single-quoted and double-quoted strings in PHP?

On another note, your code is not safe. Please use: http://php.net/manual/en/function.mysql-real-escape-string.php

Example:
...VALUES ('".mysql_real_escape_string($email)."',...

Post Status

Asked in February 2016
Viewed 2,620 times
Voted 11
Answered 1 times

Search




Leave an answer