Comparing input to database and putting it into another table?

E

eliz_min2020-05-14 20:01:16

PHP

eliz_min, 2020-05-14 20:01:16

The task is to create a calorie counter, the user enters the name of the product that he has consumed and the amount of calories per day is displayed to him. At this stage, a database has been created with products and a table used, which contains the user id, product id and time. Now I'm trying to make a product input check for availability in the database and add this product to the used table. I don't know much about backend, I work with front. I hope for understanding)
Attempts to implement

<?php
$link=mysqli_connect("localhost", "root", "root", "diploma");

$query = mysqli_query($link,"SELECT Product_id,Callorie FROM product WHERE Name_Of_Product='".mysqli_real_escape_string($link,$_POST['name'])."' LIMIT 1");
$data = mysqli_fetch_assoc($query);

if($data['Name_Of_Product'] === md5(md5($_POST['name'])))
{
    mysqli_query($link, "INSERT INTO comsume (Id_p)VALUES ($data['Product_id'])");
}
?>
<form method="POST">
    <input name="name" type="text" required><br>

</form>

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

F

FanatPHP, 2020-05-14
@FanatPHP

why does not the product id come from the client, but its name?
what is md5(md5($_POST['name'])) and why?
Why is there a record in the "comsume" table with only $data['Product_id'] and nothing else?
Why are there so many typos in table names?

T

ThunderCat, 2020-05-14
@ThunderCat

And it is possible in a nutshell the logic of implementation in steps? Otherwise , the code looks more like letters from a stoned Hatter...
UPD: eliz_min
simple, it is also desirable to a) use real and logical English terms and words (which you don’t know - google), b) prepare all the data in advance, c) to search in the database for inaccurate word forms, search through like, d) ideally use prepared expressions ( I left it here as it is, read it and apply it yourself), e) the fields in the database are usually called in lowercase, the word separators are underscore (everything is ok with the separator, the fields should be named normally), f) it is desirable to wrap the names of fields and tables with `` - back quotes

$name = mysqli_real_escape_string($link,$_POST['name']);
$sql = "SELECT `product_id`, `calorie` 
FROM `product` 
WHERE `name_of_product` like'%{$name}%' 
LIMIT 1";
 $query = mysqli_query($link, $sql);
$data = mysqli_fetch_assoc($query);

ok, here we (probably) got the id and the number of calories from the food with the name that came in the post ...
2) more interesting ...

the user enters the name of the product that he consumed and the amount of calories per day is displayed to him.

As a person superficially familiar with dietary nutrition, I suspect that "I ate cheese" and "I ate 2 kilos of cheese" are not always the same thing. understand what I'm getting at?

At this stage, a database has been created with products and a table used, which contains the user id, product id and time.

Something is missing, don't you think? Okay, let's move on ...
3) and right there on the first line everything becomes very interesting for us, I would even say that here the Hatter inhaled especially deeply ...:

if($data['Name_Of_Product'] === md5(md5($_POST['name']))) {...

so, given that we didn’t ask to select any Name_Of_Product in the request, it’s natural that there will already be crap, but then it’s even more interesting: md5(md5($_POST['name'])), mysterious shamanic voodoo dances, apparently so that this piece of code inside the condition is EXACTLY never fulfilled. In general, I would like to hear how this code came to your mind and what do you think it should do? So, purely to understand how the bizarre mind works...
4)

mysqli_query($link, "INSERT INTO comsume (Id_p)VALUES ($data['Product_id'])");

...which contains the user id, product id and time.

but for some reason you only enter the product id, besides, as I said - "something is missing")