Inserting Shopping cart Details Into MySQL Database Using PHP

Question

I have a shopping cart which at this point in time sends items that are brought by the customer to the database, but now I have included a login system whereby you have to be a member before you purchase an item. I have kept the logged in user in a session and so I am trying to send the session variable to the database as well once an order has been made. At the moment, I have three tables which are customers, orders and order_detail (see the following code):

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

        $result=mysql_query("insert into customers values('','$name','$email','$address','$phone')");
        $customerid=mysql_insert_id();
        $date=date('Y-m-d');
        $result=mysql_query("insert into order values('','$date','$customerid')");
        $orderid=mysql_insert_id();

        $max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            mysql_query("insert into order_detail values ($orderid,$pid,$q,$price)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

I have changed it into the following code:

 <?php

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

$max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $orderid=mysql_insert_id();
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            $date=date('Y-m-d');
            $user=$_SESSION['username'];
            mysql_query("insert into order values ($orderid,$pid,$q,$price,$date,$user)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

the code above does not insert anything into my order table.

Thanks

Answer 1

Please make sure if your query has '' enclosed to each values,

try replacing with this:

insert into order values ('$orderid','$pid','$q','$price','$date','$user')

And make sure that the table order has no other fields that are not null when not specified:

insert into order (order_id, product_id, qty, price, order_date, order_user) values ('$orderid','$pid','$q','$price','$date','$user')

Answer 2

Try or die(mysql_error()) just after the mysql_query function. That would probably give you more information about the problem...

Answer 3

Ugh. Database operations with absolutely NO error handling at all. Assuming a DB query succeeds only gets you into situations like this - no clue as to what's wrong.

At absolutely bare mininum, your DB operations should look like this:

$sql = "... query goes here ..."
$result = mysql_query($sql);
if ($result === FALSE) {
   die("Query failed!" . mysql_error() . $sql);
}

which at least stops the script dead in its tracks, tells you that the query failed, tells you WHY it failed, and tells you what the query was.

As well, your code is WIDE OPEN to SQL injection attacks. This is especially bad in what is obviously an e-commerce setup. I suggest you immediately SHUT DOWN this system until you've had a chance to read up on this and plug the holes.