Reputation: 203
PHP insert gives me undefined index?
So i'm trying to insert values in my database, it worked in register and i copy and pasted the same code but when i changed the values it won't insert although var dump gives me value, the query keeps on giving me a false one;
<form class="form-horizontal" action="" method="POST">
<fieldset>
<legend>Account Register</legend>
<div class="form-group">
<label for="PID" class="col-lg-2 control-label">Product ID</label>
<div class="col-lg-10">
<input class="form-control" id="iPID" name="inputpid" placeholder="Product ID" type="text" required>
</div>
</div>
<div class="form-group">
<label for="Pname" class="col-lg-2 control-label">Product Name</label>
<div class="col-lg-10">
<input class="form-control" id="iPname" name="inputpname" placeholder="Product Name" type="text" required>
</div>
</div>
<div class="form-group">
<label for="Pprice" class="col-lg-2 control-label">Product Price</label>
<div class="col-lg-10">
<input class="form-control" id="iPprice" name="inputpprice" placeholder="Product Price" type="text" required>
</div>
</div>
<div class="form-group">
<div class="col-lg-10 col-lg-offset-2">
<button type="reset" class="btn btn-default">Cancel</button>
<button type="submit" class="btn btn-primary">Submit</button>
</div>
</div>
And this is the php code below this form; I already have ob_start and session_start at the top of the codes;
<?php
include("config.php");
$ppid=$_POST['inputpid'];
$pname=$_POST['inputpname'];
$pprice=$_POST['inputpprice'];
$product_query=mysqli_query($con,"INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES('$ppid', '$pname', $pprice')");
var_dump($ppid);
var_dump($pname);
var_dump($pprice);
var_dump($product_query);
?>
I don't know what i'm missing in this one and hope someone could help me with this. Thank you in advance!
Upvotes: 0
Views: 603
Answers (2)
Reputation: 2462
Update
In response to @tadman's comment on this answer, here is the proper way to insert the record using a parameterized query. I used the procedural functions instead of the object-oriented style to keep the format similar to the code in the question.
<?php
include("config.php");
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$stmt = mysqli_prepare($con, 'INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES(?, ?, ?)');
mysqli_stmt_bind_param($stmt, 'sss', $filtered['inputpid'], $filtered['inputpname'], $filtered['inputpprice']); // 's' for string, 'i' for integer, 'd' for double, 'b' for blob
$product_query = mysqli_stmt_execute($stmt);
var_dump($filtered['inputpid']);
var_dump($filtered['inputpname']);
var_dump($filtered['inputpprice']);
var_dump($product_query);
?>
And for anyone interested in the object-oriented method for doing the same thing:
<?php
include('config.php');
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$stmt = $con->prepare('INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES(?, ?, ?)');
$stmt->bind_param('sss', $filtered['inputpid'], $filtered['inputpname'], $filtered['inputpprice']);
$product_query = $stmt->execute();
var_dump($filtered, $product_query);
?>
Previous
I agree with several of the comments above that you're vulnerable to SQL injection with the code you posted. The code below will correct the syntax error you had in your original query and it'll also clean the input and safely escape it for insertion in your database table.
<?php
include("config.php");
$filtered = filter_input_array(INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS);
$ppid = mysqli_real_escape_string($con, $filtered['inputpid']);
$pname = mysqli_real_escape_string($con, $filtered['inputpname']);
$pprice = mysqli_real_escape_string($con, $filtered['inputpprice']);
$product_query = mysqli_query($con, "INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES($ppid, $pname, $pprice)");
var_dump($ppid);
var_dump($pname);
var_dump($pprice);
var_dump($product_query);
?>
Upvotes: 3
Reputation: 726
$product_query=mysqli_query($con,"INSERT INTO tblproducts(p_pid, p_name, p_price) VALUES('$ppid', '$pname', '$pprice')");
please put $pprice in singlequots
Upvotes: 2
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- How does PHP 'foreach' actually work?
- Enumerations on PHP
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?
- "Notice: Undefined variable", "Notice: Undefined index", "Warning: Undefined array key", and "Notice: Undefined offset" using PHP