I have coded the following and its posting the data as I can see it in console. However, it does not seem to add to the database. I think it could be my condition in the process.php file for action: add_new, but I'm not sure.
Not a huge person on PHP so unsure how to see why it's failing but it's returning successfully to the AJAX, I think but not adding to database, so I assume it might be what I said above.
if($_POST['action'] == "add_new"){
jQuery and Form:
<script type="text/javascript">
$(document).ready(function(){
$('div.success').hide();
$("form#add_new").submit(function() {
var started = "<?php echo time(); ?>";
var duration = $('#duration').val();
var ticket_price = $('#ticket_price').val();
var win_percentage = $('#win_percentage').val();
var description = $('#description').val();
var available = $('#available').val();
var action = "add_new";
$.ajax({
type: "POST",
url: "/admin/process.php",
data: { started: started, duration: duration, ticket_price: ticket_price, win_percentage: win_percentage, description: description, available: available, action: action },
dataType: 'json',
success: function(data){
$('form#add_new').hide(function(){$('div.success').fadeIn();});
}
});
return false;
});
});
<div class="success">successfully added new ticket</div>
<form id="add_new" method="post" class="form-horizontal">
<fieldset>
<div class="control-group">
<label for="duration" class="control-label">Duration (days)</label>
<div class="controls">
<input type="text" id="duration" class="input-xlarge" value="" />
</div>
</div>
<div class="control-group">
<label for="ticket_price" class="control-label">Ticket Price</label>
<div class="controls">
<input type="text" id="ticket_price" name="ticket_price" class="input-xlarge" value="" />
</div>
</div>
<div class="control-group">
<label for="available" class="control-label">Available to be Won(%)</label>
<div class="controls">
<input type="text" id="available" name="available" class="input-xlarge" value="" />
</div>
</div>
<div class="control-group">
<label for="win_percentage" class="control-label">Percentage of Winners</label>
<div class="controls">
<input type="text" id="win_percentage" name="win_percentage" class="input-xlarge" value="" />
</div>
</div>
<div class="control-group">
<label for="description" class="control-label">Description</label>
<div class="controls">
<textarea rows="4" id="description" name="description" class="input-xlarge"></textarea>
<span class="help-block">Automatic resize</span> </div>
</div>
<div class="control-group">
<div class="controls">
<button class="btn btn-gebo" type="submit">Save changes</button>
</div>
</div>
</fieldset>
</form>
process.php:
<?php
include "../utils.php";
// Add new raffle ticket
if($_POST['action'] == "add_new"){
$started = $_POST['started'];
$duration = $_POST['duration'];
$ticket_price = $_POST['ticket_price'];
$win_percentage = $_POST['win_percentage'];
$description = mysql_real_escape_string($_POST['description']);
$available = $_POST['available'];
my_query("INSERT INTO " . $db_prefix . " (lotteries(started, duration, ticket_price, win_percentage, description,available) values) VALUES ('$started','$duration','$ticket_price','$win_percentage','$description','$available')");
mysql_query($add_to_shelf) or die(mysql_error());
}
?>
In God I trust is right. Using PDO is much safer. Here's a short example on how to insert into your database:
$stmt = $dbo->prepare("INSERT INTO customer (name, email, password)
VALUES (:name, :mail, :pass)");
$stmt->bindParam(':name', $_POST['full_name']);
$stmt->bindParam(':mail', $_POST['email']);
$stmt->bindParam(':pass', $_POST['password']);
$stmt->execute();
There is too much wrong but for a start there is no function called my_query. On your second last line in the PHP. If I were you I would check the PHP code works properly first using basic GET variables or something, and then work on the POST variables.
When you finished that, your code is subject to mysql injection. You need to take a look at stopping these deprecated mysql_ functions and move to a supported type like PDO.
To start with, I would suggest
1) to check whether or not your PHP is called 2) to check what it is doing and what are the results.
If you don't have the tool box to do so, here are some useful functions:
function PrintLog($string)
{
if (! BDEBUG)
return ;
$logDir = LOGPATH;
if (! file_exists($logDir))
{
umask(000);
if (! mkdir($logDir, 0777))
ErrorLog("Failed to create Directory $logDir");
chmod($logDir, 0777);
}
$fplog = @fopen($logDir.'/'.'debug-'.date('Y-m-d').'.log', 'a');
if ($fplog)
{
fwrite($fplog, date("d-m-Y H:i:s")."\t".$string);
fwrite($fplog, "
");
fclose($fplog);
}
}
function PrintrLog(&$arrayToDump, $strName = '')
{
ob_start();
print_r($arrayToDump);
PrintLog("$strName = ".ob_get_contents());
ob_end_clean();
}
Insert in your PHP script those function and the code:
define("BDEBUG", true);
define("LOGPATH", "./log/");
PrintrLog( $_POST);
Then, have a look to the log file generated. If nothing, look at your Apache logs, may be some error will be here waiting for you to fix. If log is here, check if the POST is how it should be, then it's probably a problem in your SQL. I don't know much about your DB schema, but intuitively, I would write something more like that :
$my_query = "INSERT INTO lotteries (started, duration, ticket_price, win_percentage, description,available) VALUES ('$started', '$duration', '$ticket_price', '$win_percentage', '$description', '$available')";
PrintLog($my_query); // Take it from logs, and run it manually inPHPmyAdmin to debug it eaily
You can add this this kind of function too in your toolbox:
function ExecQuery($Cnx, $baseName, $query, &$sqlError)
{
PrintLog($query);
$result = mysql_query($query, $Cnx);
if (! $result)
{
$sqlError = "ERROR: Failed to execute query '$query' [".mysql_errno().': '.mysql_error().']';
PrintLog($sqlError);
return false;
}
return $result;
}
I hope this will help you in your current and future investiguations ;-)
PS: You should also think about using such a function to systematicaly avoid SQL injection:
function getPostValue($name) {
if (! isset($_POST[$name]))
return '';
return(mysql_real_escape_string($_POST[$name]));
}