[SOLVED] Insert Values to Database

**slimx3m** · 02-24-2009

ok, i feel dumb........ i am creating a simple web cart from this site (Building a Simple PHP Shopping Cart). the shopping cart works great but now i would like to be able to insert the values on the shopping cart (cart.php) into MySQL database.

so how i could do that?

note: i changed couple or variables, but not a lot that will differ from that site. here is my current (cart.php).

PHP Code:

 <?php

function writeShoppingCart() {

    $cart = $_SESSION['cart'];

    if (!$cart) {

        return '<p>You have no items in your shopping cart</p>';

    } else {

        // Parse the cart session variable

        $items = explode(',',$cart);

        $s = (count($items) > 1) ? 's':'';

        return '<p>You have <a href="cart.php">'.count($items).' item'.$s.' in your shopping cart</a></p>';

    }

}

 
function showCart() {

    global $db;

    $cart = $_SESSION['cart'];

    if ($cart) {

        $items = explode(',',$cart);

        $contents = array();

        foreach ($items as $item) {

            $contents[$item] = (isset($contents[$item])) ? $contents[$item] + 1 : 1;

        }

        //$output[] = '<form action="cart.php?action=update" method="post" id="cart">';

        $output[] = '<form action="inc/orderReportCheckoutPost.php" method="post" id="cart">';

        $output[] = '<table>';

        foreach ($contents as $id=>$qty) {

            $sql = 'SELECT * FROM ProductItems WHERE ProductItemsID = '.$id;

            $result = $db->query($sql);

            $row = $result->fetch();

            extract($row);

            $output[] = '<tr>';

            $output[] = '<td><a href="cart.php?action=delete&id='.$id.'" class="r">Remove</a></td>';

            $output[] = '<td>'.$Item.'</td>';

            $output[] = '<td>$'.$Price.'</td>';

            $output[] = '<td><input type="text" name="qty'.$id.'" value="'.$qty.'" size="3" maxlength="3" /></td>';

            $output[] = '<td>$'.($Price * $qty).'</td>';

            $total += $Price * $qty;

            $output[] = '</tr>';

        }

        $output[] = '</table>';

        $output[] = '<p>Grand total: <strong>$'.$total.'</strong></p>';

        $output[] = '<div><button type="submit">Update cart</button>';

        $output[] = '<input Name = "Submit1" type="submit"></div>';

        $output[] = '</form>';

    } else {

        $output[] = '<p>You shopping cart is empty.</p>';

    }

    return join('',$output);

}

?>

thanks in advance for your help.

**Castle** · 02-25-2009

So I guess we can start at the beginning are you making a connection to you db yet and only needing help with the insert statement or are you having needing help with the whole thing.

mysql connect info is located here.

I generally use the query to do my inserts.

**slimx3m** · 02-25-2009

Originally Posted by Castle

So I guess we can start at the beginning are you making a connection to you db yet and only needing help with the insert statement or are you having needing help with the whole thing.

mysql connect info is located here.

I generally use the query to do my inserts.

just the insert statement. i am pretty sure that my values are on the array, so that is what i am trying to insert. i know how to have the connection to the database with no problem and as a matter of fact is working with no problem.

thank you in advance.

**Castle** · 02-25-2009

Without know the the table layout it will be kind of difficult.
I am going on the assumption it will look something like this. There maybe more or less but this should help you get the idea.

tablename
purchase_id auto increment pk
item_id pk
price
qty

It would end up something like this. One of the reasons I have price in there is in case you change prices.

Code:

INSERT INTO tablename (id, price, qty) VALUES ($Item, $Price, $qty)

Also you might need to put quotes around the Price depending on how it is setup.

It is a little rough of an answer. I hope it helps.

**slimx3m** · 02-25-2009

Originally Posted by Castle

Without know the the table layout it will be kind of difficult.
I am going on the assumption it will look something like this. There maybe more or less but this should help you get the idea.

tablename
purchase_id auto increment pk
item_id pk
price
qty

It would end up something like this. One of the reasons I have price in there is in case you change prices.

Code:

INSERT INTO tablename (id, price, qty) VALUES ($Item, $Price, $qty)

Also you might need to put quotes around the Price depending on how it is setup.

It is a little rough of an answer. I hope it helps.

thnx for your reply so quick. actually the table will look something like this:

Code:

Order Table
OrderID (PK)     TotalPrice     ProductItemsID (FK)

Product Table
ProductItemsID (PK)    Items     Price

the only values that i would like todo is......
insert each ProductItemsID and TotalPrice to the Order's Table

so in other words i would like to create some type of loop that it will pass $id, $total, and $Item to the Order's Table

sorry that i didn't provide enough information at first.

really............ thank you so much for your help and effort.

**Thrillhouse** · 02-25-2009

Be careful with SQL injection. I don't know php but this:

PHP Code:

 $sql = 'SELECT * FROM ProductItems WHERE ProductItemsID = '.$id;

$result = $db->query($sql);

looks like it might be vulnerable. Here is some background. Basically, you should be sanitizing any data inputs that could be passed in a WHERE clause to the database.

**slimx3m** · 02-25-2009

Originally Posted by Thrillhouse

Be careful with SQL injection. I don't know php but this:

PHP Code:

 $sql = 'SELECT * FROM ProductItems WHERE ProductItemsID = '.$id;

$result = $db->query($sql);

looks like it might be vulnerable. Here is some background. Basically, you should be sanitizing any data inputs that could be passed in a WHERE clause to the database.

thnx fo the info. i honestly didn't know how vulnerable the where clause could be. i'l defently fix this after making sure that my values are being inserted into the database.

thnx

**bigtomrodney** · 02-25-2009

Santizing inputs is very important...

Make sure you strip out key characters such as .'-/{}() and you might also consider removing spaces or at least ensuring that the variables will be quoted as appropriate to avoid any other issues.

***elija*** · 02-25-2009

Very VEry VERy VERY vulnerable.

You should be looking at validating $id for data type and data values. In fact you should do that for every user input and by user I mean people and remote systems.

**slimx3m** · 02-26-2009

Originally Posted by elija

Very VEry VERy VERY vulnerable.

You should be looking at validating $id for data type and data values. In fact you should do that for every user input and by user I mean people and remote systems.

eventualy the data will be validated but with javascript. i want that all the data will be validated before being inserted to the server.

i tried this but it didn't worked. any thoughts??

Code:

INSERT INTO tablename (id, price, qty) VALUES ($Item, $Price, $qty)

Thread Tools

Display

[SOLVED] Insert Values to Database

Posting Permissions