Double booking check not working

Please what is wrong with this code, the Javascript alert is not running. When user tried to make booking twice there was no alert message and the data went into the database

Please Help!


  Check the DB for records...

	// check for the Id already in the database...USE COUNT TO COUNT ARROUND THE EMAIL FIELD IN THE TABLE.
	$query = "SELECT COUNT(national_id) FROM bookings WHERE national_id = 'thisNational_idField'";
	if ($debug) echo "<br>SQL STATEMENT:<br>".$query."<br><br>";
   // result from the select query assign it to result variable
	 $result = mysql_query($query) or die("Invalid query (login): " . mysql_error());
	 // fetch the row in the database i.e the row that is affected
	 $row = mysql_fetch_row($result);
	 // it should not be greater than zero else the email is already in the databse
	if ($row[0] > 0) 
	// an email aleady exists in the database, because the row count > 0...
	<script type="text/javascript">
    alert("The ID <?php echo $_POST['thisNational_idField']; ?> is already registered.");
// this query insert those fields gotten from the form with the REQUEST method into the database (bookings table)
$sqlQuery = "INSERT INTO bookings (national_id , fname , mname , lname , company , title , address1 , address2 , city , country , postal_code , phone , serviceReq , date )
	VALUES ('$thisNational_id' , '$thisFname' , '$thisMname' , '$thisLname' , '$thisCompany' , '$thisTitle' , '$thisAddress1' , '$thisAddress2' ,  '$thisCity' , '$thisCountry' , '$thisPostal_code' , '$thisPhone' , '$thisService_Req' , '$thisDate' )";
	// then give the output of the query to the variable result. then use mysql-query() funtion to execute it
$result = mysql_query($sqlQuery) or die("Invalid query: " . mysql_error() . "<br><br>". $sqlQuery);



WHERE national_id = 'thisNational_idField'

“thisNational_idField” is not a variable, it’s missing the $ sign

Thanks alot, I have been able to correct it :slight_smile: cheers

WHERE national_id = ‘“. $_POST[‘thisNational_idField’].”’";

That is vulnerable to sql injection.

In the insert query, you’re using $thisNational_id . I suppose that variable contains a sanitized version of $_POST[‘thisNational_idField’]? If so, use that.
If not, you should start sanitizing user data before using it in queries, or you might want to take a look a mysqli or pdo.

Yeah thanks, I have used this to sanitize the inputs.

$thisNational_id = addslashes($_REQUEST[‘thisNational_idField’]);
$thisFname = addslashes($_REQUEST[‘thisFnameField’]);
$thisMname = addslashes($_REQUEST[‘thisMnameField’]);

addslashes is not sanitization.
At the very least, if the national_id is meant to be an integer, cast the variable as an int.