Insert data in two separate tables

Question

I am fiddling with some code to pass time, and I am unsure if I'm doing this the right way. I would really appreciate suggestions if possible of better ways of doing this.

I took a query and added a union to make essentially the same query but with a variable that has text attached to it such as 'IN'.

below you will see what i have tried, I did various things but i fear I'm wasting my time since surely there are a better way of making this work.

<?php 
require_once("connection/link.php");
 if(
     (isset($_POST['id'])&& $_POST['id'] !='') && 
 (isset($_POST['upc'])&& $_POST['upc'] !='') && 
 (isset($_POST['category'])&& $_POST['category'] !='') &&
 (isset($_POST['state'])&& $_POST['state'] !='') &&
 (isset($_POST['quantity'])&& $_POST['quantity'] !='')
    )
    { 
$id = $link->real_escape_string($_POST['id']);
$upc = $link->real_escape_string($_POST['upc']);
$category = $link->real_escape_string($_POST['category']);
$quantity = $link->real_escape_string($_POST['quantity']);
$state = "IN";
$query = mysqli_query($link, "SELECT * FROM products WHERE id='".$id."'");

    if (!$query)
    {
        die('Error: ' . mysqli_error($link));
    }
if(mysqli_num_rows($query) > 0){

    echo "Product code already exists";
    } else
    {
$sql="INSERT INTO products (id, upc, category, quantity) 
        VALUES ('".$id."', '".$upc."', '".$category."', '".$quantity."')
            UNION
        INSERT INTO transactions (id, upc, category, quantity, state) 
        VALUES ('".$id."', '".$upc."', '".$category."', '".$quantity."', '".$state."')";
if(!$result = $link->query($sql)){
die('There was an error running the query [' . $link->error . ']');
    }   
else
    {
echo "Product was added successfully!";
        }
    }
}
?>

This would create a historic log of all products added and whether they are IN or OUT. Mind you this is just the IN part of this whole ordeal.

Answer 1

You have to do two separate queries. Put them into a transaction to ensure that they're done atomically.

You should also use prepared statements to prevent SQL-injection.

You don't need a variable for IN , you can just hard-code it into the SQL.

if(!empty($_POST['id']) && !empty($_POST['upc']) && !empty($_POST['category']) && !empty($_POST['state']) && !empty($_POST['quantity'])) {
    $prod_stmt = $link->prepare("INSERT INTO products (id, upc, category, quantity, state) 
        VALUES (?, ?, ?, ?)");
    $prod_stmt->bind_param("issi", $_POST['id'], $_POST['upc'], $_POST['category'], $_POST['quantity']);
    $trans_stmt = $link->prepare("INSERT INTO transactions (id, upc, category, quantity, state) 
        VALUES (?, ?, ?, ?, 'IN')");
    $trans_stmt->bind_param("issi", $_POST['id'], $_POST['upc'], $_POST['category'], $_POST['quantity']);
    $link->begin_transaction();
    $prod_stmt->execute();
    $trans_stmt->execute();
    $link->commit();
}

You can also use !empty(variable) instead of checking both isset(variable) and variable != '' (note that this simplification isn't appropriate for variables where 0 or null are valid values, since that's considered empty).