0

I have the following code

if(isset($_POST['submit'])){
$activityID = mysqli_real_escape_string($_POST['activityID']);
$date_of_activity = mysqli_real_escape_string($_POST['date']);
$number_of_tickets = mysqli_real_escape_string($_POST['number_of_tickets']);
$db_id = mysqli_real_escape_string($_POST['customerID']);


$sql2 = "INSERT INTO booked_activities(activityID, customerID, date_of_activity, number_of_tickets)
   VALUES (?, ?, ?, ?);";

$stmt = mysqli_stmt_init($connection);
 if(!mysqli_stmt_prepare($stmt, $sql2)){
  echo "SQL error";
} else {
  mysqli_stmt_bind_param($stmt, "iiii", $activityID, $db_id, $date_of_activity, $number_of_tickets);
  mysqli_stmt_execute($stmt);
}

$bookedresult = mysqli_query($connection, $sql2);

if(!$bookedresult){
echo 'Query Failed ' . mysqli_error($connection); //test for primary duplicate;
 } else if ($bookedresult) {
 echo "booking registered";
}

}

I'd like to know firstly is using real_esc_string necessary in this case? Also when I submit the form, I get no error message from my if statement but additionally the table does not populate.

My only thought is that the format for the input which I have as iiii is incorrect. I've tried as ssss and I'm getting the same result.

I think maybe I need i(date)ii - if so what's the syntax to specify date time in a prepared statement?

DeeJJx
  • 11
  • 4
  • a `date` should be set using a `string` type placeholder- ie: `s` rather than `i` in the `stmt_bind_param` – Professor Abronsius Jan 06 '21 at 15:11
  • 1
    Replace `"iiii"` with `'ssss'` and remove all `mysqli_real_escape_string` – Dharman Jan 06 '21 at 15:12
  • 2
    The order of your bind variables looks odd, they should be in the same order as the columns they are populating. – Nigel Ren Jan 06 '21 at 15:13
  • If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo – Dharman Jan 06 '21 at 15:13
  • 1
    If you are parameterising your queries - as you should - then `mysqli_real_escape_string` is redundant at best - and even actively detrimental at worst. You don't need it and should remove it. – ADyson Jan 06 '21 at 15:15
  • Also, remove `$bookedresult = mysqli_query($connection, $sql2);` and the next 5 lines that follow – Dharman Jan 06 '21 at 15:17

0 Answers0