I am trying out a reviewer, and I keep getting this error.
( ! ) Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in D:\wamp\www\Final_Exam\roomreserved.php on line 18
and this is what's on line 18
mysqli_query($con, "insert into Reservation values ('$CN['CNO']', CURDATE(), '$RoomCode', '$NoR', '$RC['RoomDesc']')")
The issue here is you are not escaping your PHP variables in your strings;
mysqli_query($con, "insert into Reservation values ('{$CN['CNO']}', CURDATE(), '$RoomCode', '$NoR', '{$RC['RoomDesc']}')");
What is happening is, your array's have single quotes and so does your query, so using the curly braces around the variables will "escape them"
Using the single quotes in both the arrays and the query causes it to think there are more strings than expected
You can do this other ways too, here is an example with curly braces around ALL variables and one where the variables are "concatenated" to the query string respectively;
mysqli_query($con, "insert into Reservation values ('{$CN['CNO']}', CURDATE(), '{$RoomCode}', '{$NoR}', '{$RC['RoomDesc']}')");
mysqli_query($con, "insert into Reservation values ('" . $CN['CNO'] . "', CURDATE(), '" . $RoomCode . "', '" . $NoR . "', '" . $RC['RoomDesc'] . "')");
One thing to also take into consideration - is the user of this malicious? Look into functions such as addslashes or mysqli_real_escape_string to help your battle against SQL injection - both of these are "acceptable", but not the best, look into prepared statements as these are the best option for SQL Injection Prevention (CD001 gives the best resources for this in the comments of your question)
