database array not inserting in my database what is wrong?

Question

I have a form like this

<div class="form-group">
    <label class="col-sm-3 control-label">
        <?php echo get_phrase('account');?>
    </label>

    <div class="col-md-6">
        <input type="text" name="account" class="form-control" width="200px">
    </div>
</div>

<div class="form-group">
    <label class="col-sm-3 control-label">
        <?php echo get_phrase('dr_to');?>
    </label>

    <div class="col-md-6">
        <input type="text" name="drto" class="form-control" width="200px">
    </div>
</div>

<div class="form-group">
    <label class="col-sm-3 control-label">
        <?php echo get_phrase('item');?>
    </label>

    <div class="col-md-6">
        <input type="text" name="item" class="form-control" width="200px">
    </div>
</div>

<div class="form-group">
    <label class="col-sm-3 control-label">
        <?php echo get_phrase('Source_of_fund');?>
    </label>

    <div class="col-md-6">
        <input type="text" name="sof" class="form-control" width="200px">
    </div>
</div>

And another form which contain arrays like this

<tbody class="detail">
    <tr>
        <td class="no">1</td>
        <td><input type="text" class="form-control productname" name="productname[]"></td>
        <td><input type="text" class="form-control quantity" name="quantity[]"></td>
        <td><input type="text" class="form-control price" name="price[]"></td>
        <td><input type="text" class="form-control discount" name="discount[]"></td>
        <td><input type="text" class="form-control amount" name="amount[]"></td>
        <td><a href="#" class="remove">Delete</td>
    </tr>

<!-- rest of table -->

i tried to insert it into the database i do not see any errors but yet still the data does not get inserted into my database the database always shows up empty this the php code i am using to do the insert

if(isset($_POST['save'])) {
    $data['numb'] = $_POST['numb'];
    $data['account'] = $_POST['account'];
    $data['drto'] = $_POST['drto'];
    $data['item'] = $_POST['item'];
    $data['sof'] = $_POST['sof'];

    $this->db->insert('voucherinfo', $data);
    $this->db->query('voucherinfo', $data);

    $id = $this->db->insert_id();

    for($i = 0; $i<count($_POST['productname']); $i++)
    {
        mysqli_query("INSERT INTO vouchers
                      SET orderid = '{$id}',
                          issue_date = '{$_POST['productname'][$i]}',
                          details = '{$_POST['quantity'][$i]}',
                          price = '{$_POST['price'][$i]}',
                          amount = '{$_POST['discount'][$i]}',
                          unit_total = '{$_POST['amount'][$i]}'");
    }
}

how you submit your forms ? Do you get data in POST at server side ? — Edgarth, Aug 24 '18 at 07:55
you're code is open to SQL injection and should be looked at .. — treyBake, Aug 24 '18 at 08:02
Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. — ADyson, Aug 24 '18 at 08:07
Anyway, you mention "a form" and "another form", yet I don't see any form tags in either case. Have you actually got one set of `
` tags, or two? You can only submit one form at once. — ADyson, Aug 24 '18 at 08:08
its the same form with a section being an array and another section isnt — Bluerose, Aug 24 '18 at 08:19
have you used your browser tools to verify what the browser is sending to the server and that it contains the data you expect? — ADyson, Aug 24 '18 at 20:54

kenji last · Answer 1 · 2018-08-28T07:06:50.377

0

if(isset($_POST['save']))
{

    $data['numb']=$_POST['numb'];  
    $data['account']=$_POST['account']; 
    $data['drto']=$_POST['drto'];
    $data['item']=$_POST['item'];
    $data['sof']=$_POST['sof'];

//use this to prevent sql injection

 mysqli_real_escape_string($data);  

    $this->db->insert('voucherinfo' , $data); 
    $this->db->query('voucherinfo' , $data); 
    $id = $this->db->insert_id();
    for($i = 0; $i<count($_POST['productname']); $i++) {
        mysqli_query("INSERT INTO vouchers  
                    SET orderid = $id',  
                        issue_date = '$_POST['productname'][$i]',  
                        details = '$_POST['quantity'][$i]',  
                        price = '$_POST['price'][$i]',  
                        amount = '$_POST['discount'][$i]',  
                        unit_total = '$_POST['amount'][$i]'");   
    }  
}

edited Aug 28 '18 at 07:06

answered Aug 24 '18 at 08:00

kenji last

16
1

1

You should also metioned that OP should use prepared Statements, or Show you corrected code wth prepared Statements to prevent SQL injection – Jens Aug 24 '18 at 09:17
use this mysql_real_escape_string($user) – kenji last Aug 28 '18 at 01:21
this does not prevent sql injection – Jens Aug 28 '18 at 04:42

database array not inserting in my database what is wrong?

1 Answers1