How to insert Session data in database

Question

Im trying to save my cart item into database. This is what i tried and it didnt work, can anyone please help me.

if (isset($_POST['submit']))
    {
            include ('config.php');  
            foreach ($_SESSION["products"] as $cart_itm)
            {
                $kod_barang = $cart_itm["kod_barang"];
                $nama_barang = $cart_itm["nama_barang"];
                $kuantiti = $cart_itm["qty"];
                $insert_row = $mysqli->query("INSERT INTO `maklumat_permohonan`(`kod_barang`, `nama_barang`, `kuantiti`, `nombor_order`)
                    VALUES ('$kod_barang','$nama_barang','$kuantiti')");

                    if($insert_row){
                    print 'Please keep the Transaction ID for future reference<br />';
                    ?>
                    <a href="index.php">Back</a>
                    <?php
                    }else{
                    die('Error : ('. $mysqli->errno .') '. $mysqli->error);
                    }       
            }
    }

This is how my cart session look like, im sorry if my code is not too decent and proper, as this is my early learning in PHP using session for my thesis in Server client topics.

if(isset($_SESSION["products"]))
{
    $total = 0;
    echo '<form method="post" action="simpan_permohonan.php">';
    echo '<ul>';
    $cart_items = 0;
    foreach ($_SESSION["products"] as $cart_itm)
    {
       $product_code = $cart_itm["code"];
    $results = $mysqli->query("SELECT nama_barang,jenis_barang FROM data_barang WHERE kod_barang='$product_code' LIMIT 1");
       $obj = $results->fetch_object();

        echo '<li class="cart-itm">';
        echo '<span class="remove-itm"><a href="cart_update.php?removep='.$cart_itm["code"].'&return_url='.$current_url.'">             &times;</a></span>';

        echo '<div class="product-info">';
        echo '<h3>'.$obj->nama_barang.' (Code :'.$product_code.')</h3> ';
        echo '<div class="p-qty">Kuantiti : '.$cart_itm["qty"].'</div>';
        echo '<div>'.$obj->jenis_barang.'</div>';
        echo '</div>';
        echo '</li>';
        $subtotal = ($cart_itm["price"]*$cart_itm["qty"]);
        $total = ($total + $subtotal);

        echo '<input type="hidden" name="item_name['.$cart_items.']" value="'.$obj->nama_barang.'" />';
        echo '<input type="hidden" name="item_code['.$cart_items.']" value="'.$product_code.'" />';
        echo '<input type="hidden" name="item_desc['.$cart_items.']" value="'.$obj->jenis_barang.'" />';
        echo '<input type="hidden" name="item_qty['.$cart_items.']" value="'.$cart_itm["qty"].'" />';
        $cart_items ++;

    }
    echo '</ul>';
    echo '<span class="check-out-txt">';
    echo '<input type="submit" value="Simpan" />';
    echo '</span>';
    echo '</form>';

}else{
    echo 'Troli Anda Kosong';
}

Dont have any error but it seems that nothing change in database — Mohd Fadli, Jun 01 '16 at 16:41

score 1 · Answer 1 · edited May 23 '17 at 12:15

1

As you don;t share exact error, I'm just guessing that your INSERT statement is not escaped and probably occurrence of ' breaks SQL.

You should seriously take a look at prepared statements, otherwise your application is very vulnerable to SQL injection.

edited May 23 '17 at 12:15

Community

1
1

answered Jun 01 '16 at 16:42

rkosegi

12,129
5
46
75

Im not worry about any injection or anything as for now because this is only a project for learning purpose. But i seems to have a bit of a problem for these past few days on this topic regarding saving the session data in mysql, so is my coding im using is correct? Sorry for my broken english.. Im not in my workplace right now, so its hard for me to give a proper feedback, forgot to add die at the end of the query so cant say for sure for any error. – Mohd Fadli Jun 01 '16 at 16:46
@MohdFadli : Fact that you don't worry about injection shouldn't be reason for not doing things right way. Prepared statement can speed up your queries (if used correctly) and handles issues with escaping data for you out of box.I see no reason to not use them in your case. – rkosegi Jun 01 '16 at 16:50
@MohdFadlio If this is about learning then **learn the correct way to define queries**. I'm sorry for sounding so harsh here but if you don't use prepared statement you will waste hours tracking down silly mistakes that could have been avoided. Do it right and it's done. Do it the wrong way and it *will* malfunction later on, possibly in a way that's very damaging. – tadman Jun 01 '16 at 16:50
What do you meant by prepared statement? Harsh is fine, its learning so im fine with it :) – Mohd Fadli Jun 01 '16 at 16:51
@MohdFadli : there is link in my answer. just follow it and read article. – rkosegi Jun 01 '16 at 16:52
i've already edit mysqli syntax still no error shows, the data that i want to be insert in mysql database only popup in url, any help please... – Mohd Fadli Jun 10 '16 at 14:11

How to insert Session data in database

1 Answers1