0

Hi im trying to learn vanilla PHP with PDO to load and edit mySQL database, I am trying to create an example of a form validation where a student selects which module they want and a lab session afterwards followed by their name and email.

I want to include a capacity to the form so if so many students choose lab session 2 and lab session 2 has a max capacity of 3 students, for example. Then that lab session is fully booked and the student cant sign up to the session if they do they get an error message to say the session is fully booked.

I attemped to do this and it seemed bad and messy, it also didnt work as eventhough it gave the error message to say the session is fully booked, it still inserts the data into mysql.

Part of my code below:

if (isset($_POST['submit'])){
              if(filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)){
                    $module=$_POST['MODCOD'];//drop down menu
                    $lab=$_POST['LabTime'];//drop down menu student selects session they want
                    $first=$_POST['firstName'];//enter manually
                    $last=$_POST['lastName'];
                    $email=$_POST['email'];
                    
                    echo '<p> user registered</p>';
                    echo "<h2>Lab booking table </h2>\n";
                    $checkLab517 =$pdo->query("select count(*) from meetings WHERE Lab='11:00, Lab 2'") ->fetchColumn();
                    $checkLab518 =$pdo->query("select count(*) from meetings WHERE Lab='11:00, Lab 3'") ->fetchColumn();
                    }
                }  
                else{
                    echo 'Invalid';
                }

            
            if($checkLab517==3){
                    echo 'COMP517:<br>';
                    echo '11:00, Lab 2','<font color="red"> FULLY BOOKED</font><br>';
                }
            if($checkLab518==2){
                echo 'COMP518:<br>';
                echo '11:00, Lab 3','<font color="red"> FULLY BOOKED</font>';
            }
            else{
                $sql = "INSERT INTO meetings (Module, Lab, Email,firstName,lastName)
                    VALUES ('$module', '$lab', '$email','$first','$last')";
                    $pdo->exec($sql);
            }

Any help would be appreciated thanks for your time

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
dfx99
  • 23
  • 4
  • The else is only for 518. You need to add that for 517. You need to protect against sql injection. you need to user prepared statements. https://bobby-tables.com/php – Jason K Dec 17 '20 at 15:41
  • Here's a good [starting point](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for writing safer queries. – El_Vanja Dec 17 '20 at 15:49

2 Answers2

0

Even though you are right by your own admission that your code is messy, thats OK - we all have to start somewhere!

You just need to chain your if/else conditions together. When this is not in place and $checkLab517 == 3 the insert will always be executed.

Change this...

if($checkLab517==3){
    echo 'COMP517:<br>';
    echo '11:00, Lab 2','<font color="red"> FULLY BOOKED</font><br>';
}
if($checkLab518==2){
    echo 'COMP518:<br>';
    echo '11:00, Lab 3','<font color="red"> FULLY BOOKED</font>';
} else {
    $sql = "INSERT INTO meetings (Module, Lab, Email,firstName,lastName)
        VALUES ('$module', '$lab', '$email','$first','$last')";
    $pdo->exec($sql);
}

To this...

if($checkLab517==3){
    echo 'COMP517:<br>';
    echo '11:00, Lab 2','<font color="red"> FULLY BOOKED</font><br>';
} elseif($checkLab518==2){ // This is where the magic happens!
    echo 'COMP518:<br>';
    echo '11:00, Lab 3','<font color="red"> FULLY BOOKED</font>';
} else {
    $sql = "INSERT INTO meetings (Module, Lab, Email,firstName,lastName)
        VALUES ('$module', '$lab', '$email','$first','$last')";
    $pdo->exec($sql);
}

p.s. your code is very vulernable to an attack called a SQL injection which you should definitely look at preventing. Do a search on how to prevent SQL injection with PHP here on StackOverflow.

Simon K
  • 1,503
  • 1
  • 8
  • 10
  • Problem with that is if 517 == 3 518 will never be checked. – Jason K Dec 17 '20 at 15:48
  • @JasonK - sorry bro, didn't see your comment (which was before my answer) on the OP until now – Simon K Dec 17 '20 at 15:56
  • thank you its a personal project atm , i will start looking at the sql injection attacks when ive got my head around this haha. Thanks and yea my issue comes to what Jason has commented. If 517==3 then 518 is never checked . – dfx99 Dec 17 '20 at 15:58
0

Using prepared statements will protect your data. A single quote will come up in data more than you think.

User imputed and computer calculated.

I assume you also want to add an exit; after the invalid message to stop it from trying to book the room.

if($checkLab517==3){
    echo 'COMP517:<br>';
    echo '11:00, Lab 2','<font color="red"> FULLY BOOKED</font><br>';
}else {
  bookLabSpot($module, $lab, $email, $first, $last);
}
if($checkLab518==2){
    echo 'COMP518:<br>';
    echo '11:00, Lab 3','<font color="red"> FULLY BOOKED</font>';
} else {
  bookLabSpot($module, $lab, $email, $first, $last);
}
function bookLabSpot($iModule, $iLab, $iEmail, $iFirst, $iLast){
  global $pdo;
  $stmt = $pdo->prepare('INSERT INTO meetings (Module, Lab, Email,firstName,lastName)
        VALUES (:module, :lab, :email, :first, :last)');
  $pdo->execute([
    ':module'=>$iModule,
    ':lab'=>$iLab,
    ':email'=>$iEmail,
    ':first'=>$iFirst,
    ':idxid'=>$iLast,
  ]);
}

I have not compiled this so there may be syntax errors.

Jason K
  • 1,406
  • 1
  • 12
  • 15