-1

Hi I cannot get the below query to work in order to insert the session data into the database, Could anyone please tell me what is wrong with it or what I can do to fix it? Thanks in advance.

<?php
session_start();
 if (isset($_POST['sub'])) {
$host='localhost';
$user='root';
$pass='';
$db='theatre_booking';

$con=mysqli_connect($host,$user,$pass,$db);

$row = $_POST['row'];
$_SESSION["row"]=$row;  

$zone = $_POST['zone'];
$_SESSION["zone"]=$zone;

$quantity = $_POST['numberOfTickets'];
$_SESSION["numberOfTickets"]=$quantity;



$sql="INSERT INTO booking(PerfDate, PerfTime, Name, Email, RowNumber) 
VALUES 
    '{$_SESSION['date']}',
    '{$_SESSION['time']}',
    '{$_SESSION['name']}',
    '{$_SESSION['email']}',
    '{$_SESSION['row']}')";

    if ($con->query($sql) === TRUE) {
    echo "Booking successful";
} else {
    echo "Error: " . $sql . "<br>" . $con->error;
}
 }





?>
stdcall
  • 27,613
  • 18
  • 81
  • 125
YasMan
  • 35
  • 8
  • Two notes: 1. you haven't told us what error is occurring (if any), and 2. you code is vulnerable to [SQL Injection attacks](http://stackoverflow.com/search?q=sql+injection) – samlev Dec 03 '15 at 18:32
  • 2. is true only if the SESSION data is populated from user input, else is harmless – Alex Andrei Dec 03 '15 at 18:39
  • @AlexAndrei - see a few lines above: `$row = $_POST['row']; $_SESSION["row"]=$row;`. It is populated from user input. – Adam Michalik Dec 03 '15 at 18:41
  • @YasMan - what's the error, what's the DB schema? – Adam Michalik Dec 03 '15 at 18:42
  • @AdamMichalik I can see them all now, my bad :) – Alex Andrei Dec 03 '15 at 18:43
  • @AdamMichalik the error is Error: INSERT INTO booking(PerfDate, PerfTime, Name, Email, RowNumber) VALUES '2015-12-08', '14:00:00', 'Name', 'name@gmail.com', 'U11') You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''2015-12-08', '14:00:00', 'Name', 'name@gmail.com', 'U' at line 3 – YasMan Dec 03 '15 at 18:45
  • @AlexAndrei How do I protect it from injection attacks? I am new to this. – YasMan Dec 03 '15 at 18:46
  • you start by reading this fine Q&A http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Alex Andrei Dec 03 '15 at 18:48

2 Answers2

0

you are missing opening bracket '(' after values in insert statement.

$sql="INSERT INTO booking(PerfDate, PerfTime, Name, Email, RowNumber) 
VALUES (
    '{$_SESSION['date']}',
    '{$_SESSION['time']}',
    '{$_SESSION['name']}',
    '{$_SESSION['email']}',
    '{$_SESSION['row']}')";

    if ($con->query($sql) === TRUE) {
    echo "Booking successful";
} else {
    echo "Error: " . $sql . "<br>" . $con->error;
}
cyber.sh
  • 712
  • 4
  • 10
0

Missing opening parenthesis after VALUES and I suggest you explicitly write the variables in the string. Don't rely on php variable expansion, it's also much easier to read.

$sql='INSERT INTO booking(PerfDate, PerfTime, Name, Email, RowNumber)
 VALUES
 ("' . $_SESSION["date"] . '", 
  "' . $_SESSION['time'] . '",
  "' . $_SESSION['name'] . '",
  "' . $_SESSION['email'] . '",
  "' . $_SESSION['row']  . '"
  )';
Alex Andrei
  • 7,315
  • 3
  • 28
  • 42