-12
$check_day = "select * from timetable where day ='$day'";
$run = mysql_query($check_day);
if(mysql_num_rows($run) > 0) {
  echo "<script>alert('day $day already exists in our database, please try another one!')</script>";
  exit();
}

$query = "insert into timetable (classes, courses, lecturers, time, room, day) values ('$classes','$courses','$lecturers','$time','$room','$day')";
if (mysql_query($query)) {
  echo "<script>alert('Registration Successful!')</script>";
}
}
Derek Wang
  • 10,098
  • 4
  • 18
  • 39
FelixN
  • 35
  • 1
    What is the error that you are getting ? – Maximus2012 Nov 03 '16 at 20:12
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* – Jay Blanchard Nov 03 '16 at 20:16
  • 2
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Nov 03 '16 at 20:16
  • @felixN your code can be hacked with SQL Injection, do not write code this way http://stackoverflow.com/questions/601300/what-is-sql-injection – TravisO Nov 03 '16 at 20:20
  • @JohnConde What is the reserved word? `time` and `day` are keywords, but not reserved. – Barmar Nov 03 '16 at 20:54
  • Can you explain why we don't know what that error message is? – Duane Lortie Nov 03 '16 at 21:17
  • What is the error message that you are getting? – Gabriele Ciech Nov 12 '16 at 10:33

3 Answers3

1
    /* As I read all the previous comments and find out that you are using old SQL query. which is a bad practice. */

    # Note: Please read what is mysqli, why we use mysqli

    # I have correct your query 



 // Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}


      $check_day = "SELECT * FROM timetable WHERE day ='".$day."'";

    $run = mysqli_query($conn,$check_day);

    if(mysqli_num_rows($run) >0) {

        echo "<script>alert('day $day already exists in our database, please try another one!')</script>";
            exit();
    }else{

    $query = "INSERT INTO timetable (`classes`, `courses`, `lecturers`, `time`, `room`, `day`) VALUES ('".$classes."','".$courses."','".$lecturers."','".$time."','".$room."','".$day."')";

    if(mysqli_query($conn,$query)){
                echo "<script>alert('Registration Successful!')</script>";
    }

    }

I hope this helps you

rahul singh Chauhan
  • 323
  • 1
  • 4
  • 15
0

Use mysqli its more secure and better.

First connect: $db = mysqli_connect('host', 'user', 'password', 'database');

Next we gonna make our query:

$query = "insert into timetable (classes, courses, lecturers, time, room, day) values ('$classes','$courses','$lecturers','$time','$room','$day')";
$result = mysqli_query($db, $query);

Now your query is added, you can provide extra actions:

//Your extra code here
James Bob
  • 85
  • 1
  • 2
  • 10
0

You are using outdated PHP/MySQL functions.

use the new mysqli_* functions as they are more secure and updated.

https://www.w3schools.com/php/php_ref_mysqli.asp

Khalid
  • 75
  • 9