0

So I've created a form using PHP script but the data that I enter into the form is not inserting into the MySQL database for some reason. I'm not that familiar with PHP but have researched online about the syntax and can't figure out what is wrong. I've posted my code below (apologies if it's too much than is needed to solve the problem).

<!DOCTYPE>
<?php
include("includes/db.php");
?>

<html>
    <head>
        <title>Inserting Product</title>
  <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script>
  <script>
    tinymce.init({ selector:'textarea' });
  </script>
    </head>
    <!--Colour should be sky blue-->

<body bgcolor="skyblue">
    <form action="insert_product.php" method="post" enctype="multipart/form-data">
    <table align="center" width="750" border="2" bgcolor="orange">
      <tr align="center">
          <td colspan="7"><h2>Insert New Post Here</h2></td>
      </tr>
        <tr>
            <td align="right"><b>Product Title:</b></td>
            <td><input type="text" name="product_title" size="60" required/></td>
      </tr>
         <tr>
             <td align="right"><b>Product Category:</b></td>
            <td>
             <select name="product_cat" required>
                 <option>Select a Category</option>

                 <?php
                 $get_cats = "select * from categories";
                 //local variable in PHP is created using $ sign;
        // * denotes all (everything)
        $run_cats = mysqli_query($con, $get_cats);
        while ($row_cats=mysqli_fetch_array($run_cats)) {
        $cat_id = $row_cats['cat_id'];
        $cat_title = $row_cats['cat_title'];
        //local variables
        echo "<option value='$cat_id'>$cat_title</option>";
    }
                 ?>
                </select>
             </td>
      </tr>
        <tr>
            <td align="right"><b>Product Brand:</b></td>
            <td>
            <select name="product_brand" required>
                 <option>Select a Brand</option>

         <?php
                 $get_brands = "select * from brands";
    $run_brands = mysqli_query($con, $get_brands);
    while ($row_brands=mysqli_fetch_array($run_brands)) {
        $brand_id = $row_brands['brand_id'];
        $brand_title = $row_brands['brand_title'];
        echo "<option value='$brand_id'>$brand_title</option>";
    }
                 ?>
                </select>
            </td>
      </tr>
      <tr>
        <td align="right"><b>Product Image:</b></td>
        <td><input type="file" name="product_image" required/></td>
      </tr>
        <tr>
            <td align="right"><b>Product Price:</b></td>
            <td><input type="text" name="product_price" required /></td>
      </tr>
         <tr>
             <td align="right"><b>Product Description:</b></td>
             <td><textarea name="product_desc" cols="20" rows="10"></textarea></td
      </tr>
         <tr>
             <td align="right"><b>Product Keywords:</b></td>
            <td><input type="text" name="product_keywords" size="50" required/></td>
      </tr>
         <tr align="center">
            <td colspan="7"><input type="submit" name="insert_post" value="Insert Product Now" /></td>
      </tr>
   </table>
    </form>
</body>
</html>

<?php

    if(isset($_POST['insert_post'])) {
//$_POST is pre-defined/ global variable in PHP
//getting the text data from the fields

        $product_title = $_POST['product_title'];
        $product_cat = $_POST['product_cat'];
        $product_brand = $_POST['product_brand'];
        $product_price = $_POST['product_price'];
        $product_desc = $_POST['product_desc'];
        $product_keywords = $_POST['product_keywords'];
        //getting the image from the field
        $product_image = $_FILES['product_image']['name'];
        $product_image_tmp = $_FILES['product_image']['tmp_name']; //temporary/default name

move_uploaded_file($product_image_tmp,"product_images/$product_image");
            //Remove echo below once  verified that it works (only literally the word 'echo')
            echo $insert_product = "INSERT INTO products (product_cat,product_brand,product_title,product_price,product_desc,product_image,product_keywords) VALUES ('$product_cat','$product_brand','$product_title',$product_price','$product_desc','$product_image','$product_keywords')";
            //'products' is table name
            // 1st parentheses: column / fields inside table
            $insert_pro = mysqli_query($con, $insert_product);
            if($insert_pro) {
                echo "<script>alert('Product has been inserted!')</script>";
                echo "<script>window.open('insert_product.php','_self')</script>";
            }
        }

?>

I can see the values that I've entered below the form from the echo statement but when I check the database, they're not there. Similarly, the JavaScript alert doesn't appear. The code inside the db.php file establishes the connection to the database:

$con = mysqli_connect("localhost","root","","ecommerce");
abra_kadabra
  • 1
  • 1
    Your script is vulnerable to sql injection : https://stackoverflow.com/a/60496/6663198 – Flyzzx Aug 15 '18 at 15:43
  • 1
    Check your error log. Also , this insert is really unsafe. Use paramterized queries – WillardSolutions Aug 15 '18 at 15:44
  • 1
    Please turn on error reporting - https://stackoverflow.com/q/1053424/296555 and also turn MySQL errors into PHP exceptions - https://stackoverflow.com/a/22662582/296555 – waterloomatt Aug 15 '18 at 15:47

0 Answers0