This is my code:
Code: Select all
<?php
if ($_POST[op] != "add") {
//haven't seen the form, so show it
$display_block = "<h1>Add a Book</h1>
<form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
<P><strong>Artist:</strong><br>
<input type=\"text\" name=\"book_artist\" size=30 maxlength=100>
<P><strong>Book Title:</strong><br>
<input type=\"text\" name=\"item_name\" size=30 maxlength=75>
<P><strong>Book Author:</strong><br>
<input type=\"text\" name=\"book_author\" size=30 maxlength=50>
<P><strong>Description:</strong><br>
<textarea name=\"desc\" cols=35 rows=7 wrap=virtual></textarea>
<P><strong>Price:</strong><br>
<input type=\"text\" name=\"item_price\" size=10 maxlength=10>
<P><strong>Image:</strong><br>
<input type=\"text\" name=\"item_image\" size=30 maxlength=100>
<input type=\"hidden\" name=\"op\" value=\"add\">
<p><input type=\"submit\" name=\"submit\" value=\"Add Book\"></p>
</FORM>";
} else if ($_POST[op] == "add") {
//time to add to tables, so check for required fields
if ($_POST[book_artist] == "") {
header("Location: addbook.php");
exit;
}
//connect to database
$conn = mysql_connect("localhost", "username", "password")
or die(mysql_error());
mysql_select_db("shoot_the_moon",$conn) or die(mysql_error());
//add to store_items table
$add_items = sprintf('
INSERT INTO store_items
(item_name, item_price, item_image)
VALUES("%s", "%s", "%s")
',
mysql_real_escape_string($_POST['item_name']),
mysql_real_escape_string($_POST['item_price']),
mysql_real_escape_string($_POST['item_image'])
);
mysql_query($add_items) or die(mysql_error());
//get item id for use with other tables
$item_id = mysql_insert_id();
if (($_POST[book_artist]) || ($_POST[book_author])) {
//something relevant so add to the book table
$add_book = sprintf('
INSERT INTO store_books
(book_artist, book_author)
VALUES("%s", "%s")
',
mysql_real_escape_string($_POST['book_artist']),
mysql_real_escape_string($_POST['book_artist'])
);
mysql_query($add_book) or die(mysql_error());
}
$display_block = "<h1>Record Added</h1>
<P>Your record has been added. Would you like to
<a href=\"addbook.php\">add another</a>?</p>
<P>Go back to the
<a href=\"adminmenu.php\">main menu</a></p>";
}
?>
<HTML>
<HEAD>
<TITLE>Add a Book</TITLE>
</HEAD>
<BODY>
<?php echo $display_block; ?>
</BODY>
</HTML>And also can anyone suggest the best way to insert some sort of image that is on the server and retrieve it from the database e.g. would saving the URL of the image and retrieving it be the best solution?
And one final thing, since I'm new to PHP, if anyone can see any vulnerable parts of the code security wise, then please post a link or solution to get round this. It's something I no doubt will need to learn.
Cheers