SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2013
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to send div content to database

    Hi guys! I've got a form which has several text areas which is sent to the database perfectly on submit...

    Now, on the same form i have total_price displayed within a <div> tag. How would i send the value of total_price to the database?

    I'm using the following code...

    PHP Code:
    include 'db.php';

    $err = array();
                         
    if(
    $_POST['checkout'] == 'Checkout'

    foreach(
    $_POST as $key => $value) {
        
    $data[$key] = filter($value);
    }


    if(empty(
    $err)) {
    $sql_insert "INSERT into `checkout`
                  (`total_price`,`data_created`
                )
                VALUES
                ('
    $data[total_price]',now()
                )"
    ;
                
    mysql_query($sql_insert,$link) or die("Insertion Failed:" mysql_error());
    header('Location: thankyou.php');
    }} 

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    set total_price as a hidden form field.
    Code:
    <input type="hidden" name="total_price" value="whatever" />
    That then gets sent to the database as part of the POST array.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    Non-Member
    Join Date
    Oct 2007
    Posts
    363
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    Your code is absolutely wide open to sql injection attacks. I could delete your entire database just by passing certain text to one of your input fields.

    Using a foreach loop to automatically setup data from your $_POST array is a stupid thing to do - this should never be done under any circumstances, ever. There is never a good reason to do this and you should stop doing it instantly.

    You should also have quotations around 'total_price' in this line: $data[total_price].

    You also shouldn't be using mysql_ functions, as they have been deprecated for YEARS. Stop using them.

    I suggest you work on fixing these issues (particularly the sql injection issues) before doing anything else.

  4. #4
    SitePoint Enthusiast
    Join Date
    Jul 2013
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your replies!

    I've been reconstructing the php in an attempt to make it more secure and integrating it with PDO.

    But i've come against another problem! It isn't insert into the database? The code i'm using is...

    PHP Code:
    <?php 
    $conn 
    = new PDO('mysql:dbname=dbname;host=hostname''user''pass');
    try {
        
    $conn = new PDO('mysql:host=hostname;dbname=dbname''user''pass');
        
    $conn->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
    } catch(
    PDOException $e) {
        echo 
    'ERROR: ' $e->getMessage();
    }
    PDO::ERRMODE_SILENT;
    PDO::ERRMODE_WARNING;
    PDO::ERRMODE_EXCEPTION;

     if(
    $_POST['SaveAccount'] == 'submit'


    try {
      
    $pdo = new PDO('mysql:dbname=dbname;host=hostname''user''pass');
      
    $pdo->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
     
      
    $stmt $pdo->prepare('INSERT INTO checkout (full_name) VALUES (:full_name)');
      
    $stmt $pdo->prepare($query);

      
    # Affected Rows?
      
    echo $stmt->rowCount(); // 1
    } catch(PDOException $e) {
      echo 
    'Error: ' $e->getMessage();
    }
    }

    ?>
    HTML Code:
    <input name="full_name" id="full_name"  type="text" required/>
    Do you guys have any idea why it isn't inserting?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •