0

I am very new with PHP and mysql; I am trying to do something simple. I have the JQuery function:

//Operations for Add Booking button
$("#buttonAddBooking").on('click', function(e) {
 e.preventDefault();
 $.ajax({
  type: 'POST',
  url: 'http://localhost/add_booking.php',
  data: {'guestID': 6, 'arrivalDate': '2018-12-07', 'departureDate': '2018-
  12-16'},
  success: function(data){
  alert('DONE');}
 });
 return false;
});

and the add_booking.php script:

//Create connection
$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
//Check connection
if (mysqli_connect_errno()){
 echo "Connection failed:" . mysqli_connect_error();
}
if(isset($_POST['guestID']) && !empty($_POST['guestID'])) {
 $guest_id = $_POST['guestID'];
}
if(isset($_POST['arrivalDate']) && !empty($_POST['arrivalDate'])) {
 $arrival_date = $_POST['arrivalDate'];
}
if(isset($_POST['departureDate']) && !empty($_POST['departureDate'])) {
 $departure_date = $_POST['departureDate'];
}
$sql = "INSERT INTO bookings (bookingsID, guestsID, arrival_date, 
departure_date) VALUES (NULL, $guest_id,'$arrival_date', 
'$departure_date')";
if (mysqli_query($conn,$sql)) {
 echo "New record created successfully";
} else {
 echo ("Error: " . mysqli_error($conn));
}
mysqli_close($conn);

I am trying to insert a new record into bookings table where guestsID is a foreign key and I can't. I guess the problem is that guestsID is int.

Tom Aranda
  • 5,919
  • 11
  • 35
  • 51
user3267646
  • 11
  • 1
  • 5
    Quick fix is to just put single quotes around `$guest_id`. However you should do yourself a favor and read up on `prepared statements`, to protect yourself from sql injection attacks. – IncredibleHat Jan 10 '18 at 19:04
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Jan 10 '18 at 19:13
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Jan 10 '18 at 19:13
  • A lot of problems can be detected and resolved by [enabling exceptions in `mysqli`](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so mistakes aren't easily ignored. – tadman Jan 10 '18 at 19:13

0 Answers0