0

I am trying prevent duplication from my reservation system, with the specific room and in between startdate and enddate of the reservation, here is the form i started and someone helped me with the constraint:

Prevent date and time insert to the database

now am trying to implement the constraint, but i am getting error function execute on boolean().

The idea of the constraint is to be implemented on submit, to check if the inserted dates in the form reserved for the same room or no, if it's reserved will return 1.

Here is the my PHP:

<?php
session_start();
include('includes/config.php');
include('includes/checklogin.php');
check_login();

$username = $_SESSION['username'];

//code for add courses
if($_POST['submit'])
{
    $officename=$_POST['officename'];
    $roomname=$_POST['roomname'];
    $startdate=$_POST['startdate'];
    $enddate=$_POST['enddate'];




        $stmt1 = $mysqli->prepare("select count(1) as counter from reservations where roomname = ? and startdate = ? between resstart and resend");
$stmt1->execute();
$stmt1->bind_result($roomname,$startdate);
$stmt1->fetch();



    $query="insert into  reservations (officename,roomname,resstart,resend,resuser) values(?,?,?,?,?)";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param('sssss',$officename,$roomname,$startdate,$enddate,$username);



    if($stmt->execute() && $stmt1 == 0){
        echo"<script>alert('Your Reservation Has Been Added Successfully');</script>";
    }else{
    echo"<script>alert('Warning! You cannot Reserve this appointment');</script>";
    }
}
?>
Ahmed
  • 59
  • 4
  • 1
    Your first query is wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) (and you're missing quotes around your string values in it) and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries. Specially since you're not escaping the user inputs at all! – M. Eriksson Sep 18 '17 at 16:59
  • @Magnus Eriksson I understand this, but i just want it works to check if it will prevent duplication or no after this i will deal with the statements to prevent SQL Injections – Ahmed Sep 18 '17 at 17:04
  • 2
    **1.** Why not write it correct to start with instead if rewriting it later? That will just lead to misses and insecure code making it to prod. Knowingly writing insecure code is lazy and highly discouraged. **2.** Since you're not using prepared statements, you need to quote your string values in your query. You also need to escape the data, since any string containing single quotes or ends with back slashes will break your query. Better to use prepared statements from the start for this reason as well. – M. Eriksson Sep 18 '17 at 17:08
  • @Ahmed Translation of what you just said: "I know my code is broken, I'll fix it after it starts working". Do it properly the first time. There's no reason to be sloppy and then have to post a Stack Overflow question to repair the damage. – tadman Sep 18 '17 at 17:20
  • @tadman I am not going to publish this project, it's just a task. i been thinking about how to prevent duplication alot and once i found it, i just want to make sure the idea of the constraints works fine as this is the required task from me. not here to waste anyone time. – Ahmed Sep 18 '17 at 17:23
  • @Ahmed The point is, doing it properly the first time likely would have solved all the issues your having anyways. – GrumpyCrouton Sep 18 '17 at 17:24
  • Using prepared statements with placeholder values is not more work, it's not harder. It takes another line of code, and that line of code can and will save you hours and hours of fussy troubleshooting. It's also the only *correct* way to do this, you *must* escape values properly or there will be problems. Don't make excuses. It takes more time to protest than to fix it. You literally have one query done correctly here as an example, so just make the other work the same way. – tadman Sep 18 '17 at 17:25
  • If you'd rather write less code to get things done then you should look at an ORM like [Doctrine](http://www.doctrine-project.org/), [Propel](http://propelorm.org/) or [Eloquent](https://laravel.com/docs/master/eloquent) as these can save you even more time while also ensuring your queries are correct. – tadman Sep 18 '17 at 17:26
  • @tadman sorry i didn't use select before in prepared statements, i have removed the variables and put place holders and pass the variables to bind_result but still same problem – Ahmed Sep 18 '17 at 17:42
  • It looks like you're calling `bind_result`, but not `bind_param`. Those placeholders aren't populated. Remember a lot of problems can be detected and resolved by [enabling exceptions in `mysqli`](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so mistakes aren't easily ignored. – tadman Sep 18 '17 at 18:54

0 Answers0