在一个process.php文件中提交第二次查询之前，如何查询SQL数据库？

Question

I have a process booking script which takes information from a HTML booking form and sends it to a mySQL relational database.

It worked fine, however I have modified the code so that the first query checks to see whether the room they have selected is booked at any time during the date range they have specified. This can be seen in the first query $q

If it is already booked on any of the days the user submitted for that room, the script should echo an error, else it should fire the mysqli_multiquery and submit the data.

Both of these queries work directly in sql, however I am having trouble figuring out why the initial if statement does not work - 'if(mysqli_num_rows($result) == 0)'.

Here is the PHP file:

******** EDIT **********

When I submit a booking for a room that already prebooked for the requested date range, it is submitted instead of echoing the content in the else statement.

Here are the error messages:

Error messages displayed

******** EDIT TWO **********

Fixed! The problem was with a bad query.

<html>



<body>

    <?php

        $page_title = 'Process Booking Form';

        require 'login-db.php';   //  require once means that it well generate a fatal error if the file is not found and means that the file will only be read in when it has not previously been inclued which prevents wastefule duplicate disk accesses.

         $dbc = new mysqli($hn, $un, $pw, $db);



        if($dbc->connect_error) {

           die ($dbc->connect_error);

        }



        if(isset($_POST['firstname']) &&

           isset($_POST['lastname']) &&

           isset($_POST['datefrom']) &&

           isset($_POST['dateto']) &&

           isset($_POST['specialevent']) &&

           isset($_POST['roomnumber']))

        {

            $firstname     = secure_post($dbc, 'firstname');

            $lastname      = secure_post($dbc, 'lastname');   //security

            $datefrom      = secure_post($dbc, 'datefrom');

            $dateto        = secure_post($dbc, 'dateto');

            $specialevent  = clean_string($dbc, 'specialevent');

            $roomno        = secure_post($dbc, 'roomnumber');



                //validation



                $error_message = "";



                if(strlen($firstname) < 2 || strlen($firstname) > 20) {

                    $error_message .= 'Your first name does not appear to be valid.<br>';

                }



                if(strlen($lastname) < 2 || strlen($lastname) > 30) {

                    $error_message .= 'Your last name does not appear to be valid.<br>';

                }



                if(strlen($error_message) > 0) {

                    die($error_message);

                }


                //Query to find out if user selected dates are already booked for their chosen room
                $q = "SELECT customerinfo.firstname, customerinfo.lastname, roominfo.roomnumber, roominfo.roomsize, roominfo.roomprice, bookings.datefrom, bookings.dateto, bookings.daterange

                FROM customerinfo

                LEFT JOIN bookings ON bookings.customer_id = customerinfo.customer_id

                LEFT JOIN transactions ON customerinfo.customer_id = transactions.customer_id

                LEFT JOIN transactionsdetails ON transactionsdetails.transactions_id = transactions.transactions_id

                LEFT JOIN roominfo ON transactionsdetails.room_id = roominfo.room_id

                WHERE roomnumber = $roomno

                AND (bookings.datefrom BETWEEN $datefrom AND $dateto)

                OR (roomnumber = $roomno

                AND (bookings.dateto BETWEEN $datefrom AND $dateto))";

                $result = mysqli_query($dbc, $q);

                // $checkdates = mysqli_query($dbc, $checkdatessql);

                if(mysqli_num_rows($result) == 0) {

                        //echo confirmation message to user
                        echo "Hello $firstname, your booking has been requested for room: $roomno. Your check-in date and time is $datefrom at 11:00am and your scheduled checkout date and time is $dateto at 15:00pm. Thank you for choosing to stay at Westworld.";

                        //submit customer information to the database
                        mysqli_multi_query($dbc,

                         "INSERT INTO customerinfo(firstname, lastname, specialevent) VALUES ('$firstname','$lastname','$specialevent');

                        SET @cusID := LAST_INSERT_ID();

                        INSERT INTO bookings(dateto, datefrom, daterange, customer_id) VALUES ('$dateto','$datefrom',DATEDIFF(dateto,datefrom), @cusID);

                        INSERT INTO transactions (customer_id, datebooked) VALUES (@cusID, CURDATE());

                         SET @roomID := (SELECT room_id FROM roominfo WHERE roomnumber = '$roomno');

                        INSERT INTO transactionsdetails (transactions_id, room_id) VALUES (LAST_INSERT_ID(), @roomID);");
                } else {
                  //echo room error message
                  echo "The room you have selected is unavailable in that date range.";
                }


            $r->close();

            $dbc->close();


        };



        function secure_post($dbc, $string) {

            return htmlentities($dbc->real_escape_string($_POST[$string]));

        } 



        function clean_string($dbc, $string) {

            if (get_magic_quotes_gpc())  $string = stripslashes($string);

            return htmlentities($dbc->real_escape_string($_POST[$string]));

        }


    ?>



</body>

Answer 1

Well, add a "print_r(mysqli_num_rows($result));" and see what comes out. It may return a string, as mentioned in the documentation. I don't know what you use in your $datefrom and other variables, which you are using within your querys without any escaping ( great idea ) but when it is a valid date ('YYYY-MM-DD'), then you need to escape it.

Whatever it is, you should REALLY switch to PDO. there you can use prepared statements and let PDO map the variables for you (you still write the same SQL-command but instead of "$test" you write ":test" and then say ":test should be replaced by $test and it's a string"). MUCH safer and companies won't fire you on the spot ;)

Next time try to keep the code simple like one simple select-query, then the mysqli_num_rows, then one return and nothing else. Don't post more than you need to for people to understand your problem.