1

can you please explain me why this code doesn't insert int the database?

    //INSERT VALUES IN ORDERS
    $sqlInsert = "";
        for($i = 0; $i < count($_SESSION['cart']); $i++)
        {
            $resSelect = mysqli_fetch_assoc($sqlContent);

            $prodID = $resSelect['ProdID'];
            $price = $resSelect['Price'];
            $quantity = $_SESSION['cart'][$resSelect['ProdID']];
            $sum = ($_SESSION['cart'][$resSelect['ProdID']] * 
            $resSelect['Price']);
            $sqlInsert .= "INSERT into Order (ProdID, 
            Quantity, Price,  Sum, OrderID) 
            VALUES ($prodID, $quantity, $price, $sum, $userID);";

        }
        mysqli_query($dbLink, $sqlInsert);

that's the output of var_dump($sqlInsert):

       INSERT INTO Order (ProdID, quantity, 
       Price, Sum, OrderID) VALUES (1, 4, 200, 800, 10);
       INSERT INTO Order (ProdID, quantity, 
       Price, Sum, OrderID) VALUES (7, 3, 200, 600, 10);
       INSERT INTO Order (ProdID, quantity, 
       Price, Sum, OrderID) VALUES (9, 3, 200, 600, 10);

this works in the database. and the output of var_dump(mysqli_query($dbLink, $sqlInsert)) is always false.

Many thanks in Advance

Improve this question
5
  • 2
    You should check for mysqli errors after the insert to get more information. You're using numbers so quoting isn't a big deal, but you may want to use prepared statements and bind_param just to avoid SQL injection issues and any possible future quoting issues. Commented Jun 5, 2018 at 16:11
  • 1
    Also, ORDER is a keyword in MySQL and must be surrounded with backticks: dev.mysql.com/doc/refman/5.7/en/keywords.html Commented Jun 5, 2018 at 16:13
  • mysqli_query will execute just ONE query but you are passing to it multiple queries. You should use (mysqli_multi_query())[w3schools.com/php/func_mysqli_multi_query.asp] Commented Jun 5, 2018 at 16:13
  • Thanks it works with mysqli_multi_query() Commented Jun 5, 2018 at 16:18
  • 1
    DO NOT use mysqli_multi_query. It doesn't support placeholder values which makes it extremely dangerous. Commented Jun 5, 2018 at 16:39

2 Answers 2

Reset to default
2

As other comments above have mentioned, you should always check for errors returned by mysqli_query(). See example code: http://php.net/manual/en/mysqli.error.php

The mysqli_query() function doesn't support executing multiple statements.

I do NOT recommend using mysqli_multi_query(). There is little or no benefit to using it, and it introduces new potential SQL injection vulnerabilities (like the famous Little Bobby Tables cartoon). I spoke with the former Director of Engineering for MySQL, and he said (paraphrasing): "There's no reason for multi-query to exist, it can only do harm."

You should execute the INSERT statements one at a time. There's no reason to append multiple statements together.

If you're concerned about performance overhead of multiple statements, you can append multiple rows to a single INSERT statement. Or you can wrap a series of individual INSERT statements in a transaction.

You might like to read my presentation Load Data Fast! where I compare the performance of various strategies of inserting many rows of data.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

This is exactly what prepared statements are for:

// Note that ORDER is a MySQL reserved keyword and needs special escaping
$stmt = $dbLink->prepare("INSERT into `Order` (ProdID, 
        Quantity, Price, Sum, OrderID) VALUES (?,?,?,?,?)");
$stmt->bind_param('iiddi', $ProdID, $Quantity, $Price, $Sum, $OrderID);

for($i = 0; $i < count($_SESSION['cart']); $i++)
{
    $resSelect = $sqlContent->fetch_assoc();

    $ProdID = $resSelect['ProdID'];
    $Quantity = $_SESSION['cart'][$resSelect['ProdID']];
    $Price = $resSelect['Price'];
    $Sum = $_SESSION['cart'][$resSelect['ProdID']] * $resSelect['Price'];
    $OrderID =  $userID;

    $stmt->execute();
}

There's an alarmingly high number of errors in that original code that would prevent it from working at all, so you'll need to be more careful in the future and work more methodically towards solutions. Build up incrementally, testing as you go, to be sure you don't get in too deep into a solution you don't fully understand.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.