0

These are my html inputs

<input id="6" type="date" name="start_date">
<input id="7" type="time" name="start_time"><br>
<input id="8" type="date" name="end_date">
<input id="9" type="time" name="end_time"><br>

Then I use the post method to claim them like this

$start_date = (string) $_POST['start_date'];
$start_time = (string) $_POST['start_time'];
$end_date = (string) $_POST['end_date'];
$end_time = (string) $_POST['end_time'];

and finally execute the query like this

$dateTimeStart="$start_date.' '.$start_time";
$dateTimeEnd="$end_date.' '.$end_time";
$dateTimeStart = date("Y-m-d H:i:s",strtotime($dateTimeStart));
$dateTimeEnd = date("Y-m-d H:i:s",strtotime($dateTimeEndime));
$sql="INSERT INTO appointment (prof_id, student_id, app_start, app_end) VALUES ('$prof_id', '(SELECT user_id FROM user WHERE firstname='$stud_first' AND lastname='$stud_last')', '$dateTimeStart', '$dateTimeEnd');";
mysqli_query($conn, $sql);

But there seems to be something wrong.. can u help me?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
kon
  • 1
  • 1
  • 2
    You're already using an API that supports **prepared statements** with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against [SQL-injection](http://stackoverflow.com/q/60174/)! Get started with [`mysqli::prepare()`](http://php.net/mysqli.prepare) and [`mysqli_stmt::bind_param()`](http://php.net/mysqli-stmt.bind-param). – Qirel Jul 17 '17 at 21:14
  • Use PHP error-reporting `error_reporting(E_ALL); ini_set('display_errors', 1);` and [`mysqli_error`](http://php.net/manual/en/mysqli.error.php) to get any query-errors. If you add `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` as well, you cannot ignore errors either. – Qirel Jul 17 '17 at 21:15
  • 1
    Looks like `$dateTimeStart="$start_date.' '.$start_time";` is a bit wrong, those double quotes shouldn't be there, around the string. Either drop the singlequote and period, or drop the doublequote. – Qirel Jul 17 '17 at 21:16
  • the problem is the query.. specifically i think its because of the datetime format.. that where the mistake is – kon Jul 17 '17 at 21:19
  • Like I said, the `$dateTimeStart` and `$dateTimeEnd` variables are incorrectly defined. You're concating, but then using double quotes. Choose one. – Qirel Jul 17 '17 at 21:22
  • 2
    If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Jul 17 '17 at 21:36
  • `'(SELECT user_id FROM user WHERE firstname='$stud_first' AND lastname='$stud_last')'` is a SQL string, not a SQL query, also open to SQL injections. The quote here -> `firstname='` <- should actually break the string and throw an error. – chris85 Jul 17 '17 at 21:39

1 Answers1

0

try to remove the quotes around subselect:

       $sql="INSERT INTO appointment (prof_id, student_id, app_start, app_end) VALUES ('$prof_id', (SELECT user_id FROM user WHERE firstname='$stud_first' AND lastname='$stud_last'), '$dateTimeStart', '$dateTimeEnd');";
lexotrion
  • 84
  • 1
  • 4