Hey,guys!

I have a form which have some hidden fields because those fields' value need to be displayed in next page by using $_GET.However,I also need to store them into database while form submitted,but my query statement didn't work,what went wrong with it?



<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$insert = mysql_query("INSERT INTO $tbl_name (reserve_date,reserve_time,seat_qty,ref_code)VALUES ('" . $_GET['selected_date'] . "','" . $_GET['showtime'] . "','" . $_GET['noOfSeat'] . ".,'" . $_GET['refCode'] . "')") or die(mysql_error());

}
?>




<tr>
<td><strong>Showtime</strong></td>
<td><?php echo $time; ?></td>
<input type="hidden" name="showtime" value="<?php echo $time; ?>">
</tr>

<tr>
<td><strong>Date</strong></td>
<td><?php echo $_GET['selected_date']; ?></td>
<input type="hidden" name="selected_date"
value="<?php $_GET['selected_date']; ?>">
</tr>

<tr>
<td><font face="Arial"><strong>No. of Seats</strong></font></td>
<td><font face="Arial"><?php echo $noOfSeat; ?></td>
<input type="hidden" name="noOfSeat"
value="<?php echo $noOfSeat; ?>">
</tr>

<tr>
<td>
<input type="hidden" name="refCode" value="<?php echo $refCode; ?>">
</td>
</tr>


RefCode is generated in current page but only displays in next page.

try using this instead of the php code...



<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){

$insert =MYSQL_QUERY("INSERT INTO tbl_name (id,title,date,news,link,img,contact,author)". "VALUES ('NULL', '$title', '$date', '$news', '$link', '$img', '$contact', '$author')");

}
?>

just change the other content oh yeh there is no dollor sign suppose to be in tbl_name

This is what you have!


<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$insert = mysql_query("INSERT INTO $tbl_name (reserve_date,reserve_time,seat_qty,ref_code)VALUES ('" . $_GET['selected_date'] . "','" . $_GET['showtime'] . "','" . $_GET['noOfSeat'] . ".,'" . $_GET['refCode'] . "')") or die(mysql_error());

}
?>

This is what you should try!!!


<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$insert = mysql_query("INSERT INTO tbl_name (reserve_date,reserve_time,seat_qty,ref_code)VALUES ('" . $_GET['selected_date'] . "','" . $_GET['showtime'] . "','" . $_GET['noOfSeat'] . ".,'" . $_GET['refCode'] . "')") or die(mysql_error());

}
?>

maybe it might work.. but i dont understand why you have this

$tbl_name = 'reserve';

$tbl_name = "reserve"; just stated that table name is 'reserve'
Here is the sql code for reserve table:



CREATE TABLE `reserve` (
`reserve_id` int(4) NOT NULL auto_increment,
`reserve_date` date NOT NULL,
`reserve_time` time NOT NULL,
`seat_qty` int(2) NOT NULL,
`ref_code` varchar(50) collate latin1_general_ci NOT NULL,
`movie_id` int(4) NOT NULL,
`member_id` int(4) NOT NULL,
PRIMARY KEY (`reserve_id`),
KEY `movie_id` (`movie_id`),
KEY `member_id` (`member_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci AUTO_INCREMENT=1 ;


Maybe no value being assigned to two foreign keys(movie_id and member_id) because I not sure how to refer it.So,I rewrite the query statement as shown below BUT data still CAN'T store in database.



<?
//$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$sql = 'INSERT INTO `reserve` SET';
$sql .= ' `reserve_date` = \''.mysql_real_escape_string($_GET['selected_date']).'\'';
$sql .= ', `reserve_time` = \''.mysql_real_escape_string($_GET['showtime']).'\'';
$sql .= ', `seat_qty` = '.((int)$_GET['noOfSeat']);
$sql .= ', `ref_code` = \''.mysql_real_escape_string($_GET['refCode']).'\'';
$sql .= ', `movie_id` = 1'; // I just put 1 so it would actually do something.
$sql .= ', `member_id` = 1'; // I just put 1 so it would actually do something.
mysql_query($sql) or die(mysql_error());
}

?>





try using this instead of the php code...



<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){

$insert =MYSQL_QUERY("INSERT INTO tbl_name (id,title,date,news,link,img,contact,author)". "VALUES ('NULL', '$title', '$date', '$news', '$link', '$img', '$contact', '$author')");

}
?>

just change the other content oh yeh there is no dollor sign suppose to be in tbl_name

This is what you have!


<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$insert = mysql_query("INSERT INTO $tbl_name (reserve_date,reserve_time,seat_qty,ref_code)VALUES ('" . $_GET['selected_date'] . "','" . $_GET['showtime'] . "','" . $_GET['noOfSeat'] . ".,'" . $_GET['refCode'] . "')") or die(mysql_error());

}
?>

This is what you should try!!!


<?
$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$insert = mysql_query("INSERT INTO tbl_name (reserve_date,reserve_time,seat_qty,ref_code)VALUES ('" . $_GET['selected_date'] . "','" . $_GET['showtime'] . "','" . $_GET['noOfSeat'] . ".,'" . $_GET['refCode'] . "')") or die(mysql_error());

}
?>

maybe it might work.. but i dont understand why you have this

$tbl_name = 'reserve';

$insert =MYSQL_QUERY("INSERT INTO tbl_name (id,title,date,news,link,img,contact,author)". "VALUES ('NULL', '$title', '$date', '$news', '$link', '$img', '$contact', '$author')");None of those variables is necessarily defined, and NULL is not a string. You've also forgotten to escape the values, giving an attacker full access to execute arbitrary queries.

I reliazed mt_rand() return an integer,so change ref_code to int,however data yet to be stored.What weent wrong actually???Hope someone can help me....



<?
//$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$sql = 'INSERT INTO `reserve` SET';
$sql .= ' `reserve_date` = '.($_GET['selected_date']);
$sql .= ', `reserve_time` = '.($_GET['showtime']);
$sql .= ', `seat_qty` = '.((int)$_GET['noOfSeat']);
$sql .= ', `ref_code` = '.((int)$_GET['refCode']);
$sql .= ', `movie_id` = 1'; //I just put 1 so it would actually do something.
$sql .= ', `member_id` = 1'; // I just put 1 so it would actually do something.
mysql_query($sql) or die(mysql_error());
}

?>




CREATE TABLE `reserve` (
`reserve_id` int(4) NOT NULL auto_increment,
`reserve_date` date NOT NULL,
`reserve_time` time NOT NULL,
`seat_qty` int(2) NOT NULL,
`ref_code` int(5) NOT NULL,
`movie_id` int(4) NOT NULL,
`member_id` int(4) NOT NULL,
PRIMARY KEY (`reserve_id`),
KEY `movie_id` (`movie_id`),
KEY `member_id` (`member_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci AUTO_INCREMENT=1 ;

I have changed my query



<?php
//$tbl_name = "reserve";
if (isset($_GET['confirm'])){
$sql = 'INSERT INTO `reserve` SET';
$sql .= ' `reserve_date` = \''.mysql_real_escape_string($_GET['selected_date']).'\'';
$sql .= ', `reserve_time` = \''.mysql_real_escape_string($_GET['showtime']).'\'';
$sql .= ', `seat_qty` = '.((int)$_GET['noOfSeat']);
$sql .= ', `ref_code` = '.((int)$_GET['refCode']);
$sql .= ', `movie_id` = 1'; //I just put 1 so it would actually do something.
$sql .= ', `member_id` = 1'; // I just put 1 so it would actually do something.

print "SQL STATEMENT: ";
var_dump($sql);

$result = mysql_query($sql);

print "MYSQL RETURN: ";
var_dump($result);

print "MYSQL ERROR: ";
var_dump(mysql_error());
} else {
print "FORM NEVER SENT confirm VALUE";
}
?>



These are what displayed when action=reservation3.php,the current page rather than next page which I wanted.

FORM NEVER SENT confirm VALUE

SQL STATEMENT: string(155) "INSERT INTO `reserve` SET `reserve_date` = 'Sun 30th Sep', `reserve_time` = '6 :00pm', `seat_qty` = 3, `ref_code` = 451910, `movie_id` = 1, `member_id` = 1" MYSQL RETURN: bool(true) MYSQL ERROR: string(0) ""

Warning: Invalid argument supplied for foreach()


<?
// key-value pair of time array
foreach ($_GET['time'] as $key => $value) {
$name = $key;
$time = $value;
}
?>


'time' is derived from previos page(reservation2.php)


<?
if (isset($_SESSION['gmemberid'])) {

$tbl_name = "movie";
$result = mysql_query(sprintf('SELECT name,classification,screeningTime FROM %s
LIMIT 7', $tbl_name)) or die('Cannot execute query.');


//$numrow = mysql_num_rows($result);


while ($rows = mysql_fetch_assoc($result)) {
echo '<table width="100%" border="0"><tr><td height="68">
<table width="100%" height="47" border="0">
---------------------------------------------------------------------------------------------------------<br>';

echo '<strong>' . $rows['name'] . ' (' . $rows['classification'] . ')
<br></strong>';
foreach (explode(',', $rows['screeningTime']) as $time) { ?>
<label>
<input type="radio" name="time[<?php echo $rows['name']; ?>]"
title ="screening time" value="<?php echo $time; ?>">
<input type="hidden" name="selected_date"
value="<?php echo $_GET['selected_date']; ?>">

<?php echo $time; ?>&nbsp;&nbsp;&nbsp;
</label>
<?php } ?>
<?
}

}
?>

Well,I changed my query again,



if (isset($_GET['confirm'])){
$selected_date = mysql_real_escape_string($_GET['selected_date']);
$reserve_time = mysql_real_escape_string($_GET['showtime']);
$noOfSeat = (int) $_GET['noOfSeat'];
$refCode = (int) $_GET['refCode'];
$sql =<<<SQLSTM
INSERT
INTO `reserve`
SET
reserve_date = '$selected_date',
reserve_time = '$reserve_time',
seat_qty = $noOfSeat,
ref_code = $refCode,
movie_id = 1
SQLSTM;
if($res = mysql_query($sql,$dbconnectionidentifier))
{
echo('Record inserted successfully blah blah blah');
}
else
{
die($sql.' '.mysql_error()); // For debugging only
// handle error gracefully in production
}
}



When having action=reservation3.php,it displayed Record inserted successfully blah blah blah,however why mt_rand() always remain the same value in multiple records?


if (!isset($_SESSION['refCode'])) {
$_SESSION['refCode'] = mt_rand(100000, 999999);
}
$refCode = $_SESSION['refCode'];


And also what actually want the form to submitted and display all the value,including refCode in NEXT PAGE(reservation4.php).However,when putting action=reservation4.php, old problem raise back,no new record found in database.

You guys have any idea?It seems like my query is correct but database is not updating while form submitted into next page.I'm looking for your generious help...

$insert =MYSQL_QUERY("INSERT INTO tbl_name (id,title,date,news,link,img,contact,author)". "VALUES ('NULL', '$title', '$date', '$news', '$link', '$img', '$contact', '$author')");

so how do i put in escape values or what should i do....

If you want to escape values, then you'll need to use the function mysql_real_escape_string()

You'll need to escape everything that's parsed except the SQL string itself.



$title = mysql_real_escape_string($title);
$date = mysql_real_escape_string($date);
//and so on for all your values.

$insert =MYSQL_QUERY("INSERT INTO tbl_name (id,title,date,news,link,img,contact,author)". "VALUES ('NULL', '$title', '$date', '$news', '$link', '$img', '$contact', '$author')");