SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    May 2013
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    double booking check not working

    Please what is wrong with this code, the Javascript alert is not running. When user tried to make booking twice there was no alert message and the data went into the database

    Please Help!

    HERE IS THE CODE (Not all)

    PHP Code:
    <?php
    /**********************************************************************************************
      Check the DB for records...
    **********************************************************************************************/

        // check for the Id already in the database...USE COUNT TO COUNT ARROUND THE EMAIL FIELD IN THE TABLE.
        
    $query "SELECT COUNT(national_id) FROM bookings WHERE national_id = 'thisNational_idField'";
        if (
    $debug) echo "<br>SQL STATEMENT:<br>".$query."<br><br>";
        
       
    // result from the select query assign it to result variable
         
    $result mysql_query($query) or die("Invalid query (login): " mysql_error());
         
         
    // fetch the row in the database i.e the row that is affected
         
         
    $row mysql_fetch_row($result);
         
         
    // it should not be greater than zero else the email is already in the databse
        
    if ($row[0] > 0
        {
        
    // an email aleady exists in the database, because the row count > 0...
     
    ?>
        <script type="text/javascript">
        alert("The ID <?php echo $_POST['thisNational_idField']; ?> is already registered.");
        history.back();
     </script>
     <?php
     
    }    
    else 
        
    // this query insert those fields gotten from the form with the REQUEST method into the database (bookings table)
    $sqlQuery "INSERT INTO bookings (national_id , fname , mname , lname , company , title , address1 , address2 , city , country , postal_code , phone , serviceReq , date )
        VALUES ('
    $thisNational_id' , '$thisFname' , '$thisMname' , '$thisLname' , '$thisCompany' , '$thisTitle' , '$thisAddress1' , '$thisAddress2' ,  '$thisCity' , '$thisCountry' , '$thisPostal_code' , '$thisPhone' , '$thisService_Req' , '$thisDate' )";
        
        
    // then give the output of the query to the variable result. then use mysql-query() funtion to execute it
    $result mysql_query($sqlQuery) or die("Invalid query: " mysql_error() . "<br><br>"$sqlQuery);

    ?>
    Last edited by ScallioXTX; May 13, 2013 at 11:37. Reason: Wrapped code in [php]

  2. #2
    SitePoint Evangelist captainccs's Avatar
    Join Date
    Mar 2004
    Location
    Caracas, Venezuela
    Posts
    516
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    [QUOTE=sharmel4u;5434904]
    PHP Code:
    WHERE national_id 'thisNational_idField' 
    "thisNational_idField" is not a variable, it's missing the $ sign
    Denny Schlesinger
    web services

  3. #3
    SitePoint Member
    Join Date
    May 2013
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks alot, I have been able to correct it cheers

    WHERE national_id = '". $_POST['thisNational_idField']."'";

  4. #4
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,501
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    That is vulnerable to sql injection.

    In the insert query, you're using $thisNational_id . I suppose that variable contains a sanitized version of $_POST['thisNational_idField']? If so, use that.
    If not, you should start sanitizing user data before using it in queries, or you might want to take a look a mysqli or pdo.

  5. #5
    SitePoint Member
    Join Date
    May 2013
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah thanks, I have used this to sanitize the inputs.

    $thisNational_id = addslashes($_REQUEST['thisNational_idField']);
    $thisFname = addslashes($_REQUEST['thisFnameField']);
    $thisMname = addslashes($_REQUEST['thisMnameField']);

  6. #6
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    72 Post(s)
    Tagged
    0 Thread(s)
    addslashes is not sanitization.
    At the very least, if the national_id is meant to be an integer, cast the variable as an int.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •