-2

so, a code that works has these html forms (showBack.php):

<form action="add.php" method="POST">
Name: <input type="text" name="addName"><br>
Price: <input type="text" name="addPrice"><br>
<input type="submit" value="Add">

and then the input is inserted into a database in another file(add.php):

$nam=$_POST['addName'];
$prcc=$_POST['addPrice'];
$sql= 'INSERT INTO korzina (Name, Price, Num)
VALUES ("'.$nam.'","'.$prcc.'", "0")';
mysqli_query($conn, $sql);

now, what i've done is just add more fields and change the table where that info is added (edit.php):

<form action="addd.php" method="POST">
Аты: <br><input type="text" name="addName"><br>
Сипаты: <br><input type="text" name="addDes"><br>
Бағасы: <br><input type="text" name="addPrc"><br>
Өндіруші бағасы: <br><input type="text" name="addRrp"><br>
Саны: <br><input type="text" name="addQ"><br>
Суреті: <br><input type="text" name="addImg"><br>
<input type="hidden" name="addDat" value="<?=$date ?>">
<input type="submit" value="Қосу">

which just means more values to add in another file(addd.php):

$nam=$_POST['addName'];
$des=$_POST['addDes'];
$prc=$_POST['addPrc'];
$rrp=$_POST['addRrp'];
$quant=$_POST['addQ'];
$img=$_POST['addImg'];
$dat=$_POST['addDat'];
$sql= 'INSERT INTO products (name, desc, price, rrp, quantity, img, date_added)
VALUES ("'.$nam.'","'.$des.'", "'.$prc.'", "'.$rrp.'", "'.$quant.'", "'.$img.'", "'.$dat.'")';
mysqli_query($conn, $sql);

but now it just doesn't work. it's the exact same code, just expanded a little, but it doesn't work and it's driving me mad.

edit: there aren't any errors, the code just doesn't work. the shorter code works, ie adds the input into the table no problem, but now that i've added more variables, it doesn't. also, it's just for a stupid assignment, i don't care about sql injection or whatever and i'm sure my teacher doesn't even know what it is

Funk Forty Niner
  • 74,372
  • 15
  • 66
  • 132
Sober_Samuel
  • 33
  • 4
  • 3
    Always use parameters! Never munge query strings with literal values. Then you won't have these problems. Ever again. – Gordon Linoff Nov 10 '19 at 12:54
  • 1
    Check the error message or server logs to find out what exactly "doesn't work". – Bart Friederichs Nov 10 '19 at 13:03
  • Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Nov 10 '19 at 14:01
  • 1
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. – John Conde Nov 10 '19 at 14:01
  • @BartFriederichs i didn't mention an error because there isn't one. the code doesn't work but has no errors – Sober_Samuel Nov 10 '19 at 15:26
  • If SQL code doesn't work, there is always an error. You probably suppressed it, or didn't check for it, or it is lost in a log file somewhere. – Bart Friederichs Nov 10 '19 at 15:49
  • *"there aren't any errors"* - I don't see any error checking for the PHP and MySQL. I also don't see a closing `` tag for the form. – Funk Forty Niner Nov 10 '19 at 20:08
  • *"i don't care about sql injection"* - You should. *"i'm sure my teacher doesn't even know what it is"* - He/she should. – Funk Forty Niner Nov 10 '19 at 20:10
  • *"=$date ?>"* - How is that populated from? and does it have value? – Funk Forty Niner Nov 10 '19 at 20:11

1 Answers1

0

It might be because desc is a reserved keyword. Try surrounding it in back ticks : ` like this:

$sql= 'INSERT INTO products (`name`, `desc`, `price`, `rrp`, `quantity, `img`, `date_added`)
VALUES ("'.$nam.'","'.$des.'", "'.$prc.'", "'.$rrp.'", "'.$quant.'", "'.$img.'", "'.$dat.'")';

P.S: As a general rule, surround Database names, Table Names and Columns with back tick: ` It will prevent some bugs like this P.S: Using this kind of query is dangerous (Risk of SQL Injection). Try Prepared Statements in PDO. Like this:

$stmt = $pdo->prepare("INSERT INTO `my_table` (`col_1`,`col_2`,`col_2`) VALUES (?,?,?)");
$stmt->execute([ $val1, $val2, $val3 ]);
Bill Karwin
  • 499,602
  • 82
  • 638
  • 795
Ehsan Seyedi
  • 72
  • 5
  • Note OP is using mysqli so prepared statement as you wrote won't work. Might be worth adding a reference to https://stackoverflow.com/questions/17053466/how-to-display-errors-for-my-mysqli-query so OP can get errors in the future. The `desc` issue should have been reported. – user3783243 Nov 10 '19 at 13:14