why i am getting an error in my SQL syntax as undefined index
Question
I have a problem with my php file. When submitting the form there is an error called "undefined index in my PHP file" and also
Error: INSERT into
payment(PID,PInvoice_no,p_description,unit_price,quantity,total)VALUES('','','',','','') You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '','','')' at line 1
I couldn't find the error though I tried several times. I tried to solve this but I couldn't solve it, so please help me with this.
this is my html form
<body>
<div class-"logo">
<img src="images/logo.png" width="150" height="130" align="left" alt="logo"/>
<a href="admin.php">
<img src="images/homebutton.png" width="130" height="130" align="right" alt="Home"/></a>
</div>
<br /><br /><br /><br /><br />
<div class="form2">
<pre> <b><font size="+5">Payment</font></b></pre>
<table>
<form name="payment" align="center" action="payment_file.php" method="GET">
<tr><td>Invoice_no </td><td> <input type="text" name="PInvoice_no" size="11" id="PInvoice_no" required/></td></tr>
<tr><td>Payment description </td><td><input type="text" name="pay_description" size="50" id="p_description" required/></td></tr>
<tr><td>Unit price </td><td><input type="text" name="UP" size="5" id="unit_price"/> </td></tr>
<tr><td>Quantity </td><td><input type="number" name="quantity" size="20" id="quantity"/> </td></tr>
<tr><td>Total </td><td><input type="text" name="total" size="10" id="total" required/></td></tr>
<tr><td><br /></td><td> </td><td> </td></tr>
<tr><td colspan="2"><input type="submit" name="Add" size="100" value="Add"/></td>
</form>
</table>
</div>
</body>
This is my php file
<?php
session_start();
include('dbconnection.php');
$PID = $_POST['PID'];
$PInvoice_no = $_POST['PInvoice_no'];
$p_description = $_POST['p_description'];
$unit_price = $_POST['unit_price'];
$quantity = $_POST['quantity'];
$total = $_POST['total'];
$sql="INSERT into `payment` (PID,PInvoice_no,p_description,unit_price,quantity,total)VALUES('$PID','$PInvoice_no','$p_description',$unit_price','$quantity','$total')";
if (mysqli_query($con, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($con);
}
mysqli_close($con);
?>
1 answers
solution1
2 ACCPTED 2021-03-21 15:20:43
If you modify your HTML so that it is firstly valid markup and secondly sets the form's method to POST - like so:
<div class-'logo'>
<img src='images/logo.png' width='150' height='130' align='left' alt='logo'/>
<a href='admin.php'>
<img src='images/homebutton.png' width='130' height='130' align='right' alt='Home'/>
</a>
</div>
<div class='form2'>
<pre>
<b><font size='+5'>Payment</font></b>
</pre>
<form name='payment' align='center' method='POST'><!-- action='payment_file.php' -->
<table>
<tr>
<td>PID</td>
<td><input type='text' name='PID' size='11' value=23 required/></td>
</tr>
<tr>
<td>Invoice_no</td>
<td><input type='text' name='PInvoice_no' size='11' value=123456789 required/></td>
</tr>
<tr>
<td>Payment description</td>
<td><input type='text' name='pay_description' size='50' value='suspicious payment from a shady, underworld goblin' required/></td>
</tr>
<tr>
<td>Unit price</td>
<td><input type='text' name='unit_price' size='5' value=1000 /></td>
</tr>
<tr>
<td>Quantity</td>
<td><input type='number' name='quantity' size='20' value=23 /></td>
</tr>
<tr>
<td>Total</td>
<td><input type='text' name='total' size='10' required value=23000 /></td>
</tr>
<tr>
<td colspan='2'><input type='submit' name='Add' size='100' value='Add'/>
</td>
</table>
</form>
</div>
You should then change your PHP to use a prepared statement which solves the problem found with missing quotes and helps mitigate SQL injection attacks.
<?php
#session_start();
#include('dbconnection.php');
if( $_SERVER['REQUEST_METHOD']=='POST' && isset(
$_POST['PID'],
$_POST['PInvoice_no'],
$_POST['pay_description'],
$_POST['unit_price'],
$_POST['quantity'],
$_POST['total']
) ){
$sql='INSERT into `payment` ( `PID`, `PInvoice_no`, `p_description`, `unit_price`, `quantity`, `total` ) VALUES ( ?, ?, ?, ?, ?, ? )';
$stmt=$con->prepare( $sql );
$stmt->bind_param('ssssss', $_POST['PID'], $_POST['PInvoice_no'], $_POST['pay_description'], $_POST['unit_price'], $_POST['quantity'], $_POST['total'] );
$res=$stmt->execute();
$stmt->close();
exit( $res ? 'New record created successfully' : 'bogus' );
}
?>
Rather than using multiple &/or <br /> tags you might find css options a better method ~ certainly leaves cleaner HTML code.
UPDATE
Following your comment about testing the above I realise I missed several inconsistencies in your form and php.
- You do not have a field
PIDin your form at all. - You refer to elements in PHP by the HTML ID rather than the name
As, more often than not, ID attributes are not required I removed them from the HTML here and modified the names of the form input elements whilst also adding a new one for the PID . This has now been tested with a very basic table schema and the duffault data above.
mysql> describe payment;
+---------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| PID | int(10) unsigned | NO | | 0 | |
| PInvoice_no | varchar(50) | NO | | 0 | |
| p_description | varchar(50) | NO | | 0 | |
| unit_price | decimal(10,0) | NO | | 0 | |
| quantity | int(10) unsigned | NO | | 0 | |
| total | decimal(10,0) | NO | | 0 | |
+---------------+------------------+------+-----+---------+----------------+
7 rows in set (0.00 sec)
mysql> select * from payment;
+----+-----+-------------+----------------------------------------------------+------------+----------+-------+
| id | PID | PInvoice_no | p_description | unit_price | quantity | total |
+----+-----+-------------+----------------------------------------------------+------------+----------+-------+
| 1 | 23 | 123456789 | suspicious payment from a shady, underworld goblin | 1000 | 23 | 23000 |
+----+-----+-------------+----------------------------------------------------+------------+----------+-------+
1 row in set (0.01 sec)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.