How to send div content to database

PHP
1

Hi guys! I’ve got a form which has several text areas which is sent to the database perfectly on submit…

Now, on the same form i have total_price displayed within a <div> tag. How would i send the value of total_price to the database?

I’m using the following code…

include 'db.php';

$err = array();
					 
if($_POST['checkout'] == 'Checkout') 
{ 
foreach($_POST as $key =&gt; $value) {
	$data[$key] = filter($value);
}


if(empty($err)) {
$sql_insert = "INSERT into `checkout`
  			(`total_price`,`data_created`
			)
		    VALUES
		    ('$data[total_price]',now()
			)";
			
mysql_query($sql_insert,$link) or die("Insertion Failed:" . mysql_error());
header('Location: thankyou.php');
}}
2

set total_price as a hidden form field.


<input type="hidden" name="total_price" value="whatever" />

That then gets sent to the database as part of the POST array.

3

Your code is absolutely wide open to sql injection attacks. I could delete your entire database just by passing certain text to one of your input fields.

Using a foreach loop to automatically setup data from your $_POST array is a stupid thing to do - this should never be done under any circumstances, ever. There is never a good reason to do this and you should stop doing it instantly.

You should also have quotations around ‘total_price’ in this line: $data[total_price].

You also shouldn’t be using mysql_ functions, as they have been deprecated for YEARS. Stop using them.

I suggest you work on fixing these issues (particularly the sql injection issues) before doing anything else.

4

Thank you for your replies!

I’ve been reconstructing the php in an attempt to make it more secure and integrating it with PDO.

But i’ve come against another problem! It isn’t insert into the database? The code i’m using is…

<?php
$conn = new PDO('mysql:dbname=dbname;host=hostname', 'user', 'pass');
try {
    $conn = new PDO('mysql:host=hostname;dbname=dbname', 'user', 'pass');
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
PDO::ERRMODE_SILENT;
PDO::ERRMODE_WARNING;
PDO::ERRMODE_EXCEPTION;

 if($_POST['SaveAccount'] == 'submit')
{

try {
  $pdo = new PDO('mysql:dbname=dbname;host=hostname', 'user', 'pass');
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

  $stmt = $pdo->prepare('INSERT INTO checkout (full_name) VALUES (:full_name)');
  $stmt = $pdo->prepare($query);

  # Affected Rows?
  echo $stmt->rowCount(); // 1
} catch(PDOException $e) {
  echo 'Error: ' . $e->getMessage();
}
}

?>

<input name="full_name" id="full_name"  type="text" required/>

Do you guys have any idea why it isn’t inserting?