I'm creating a reservation system in which the client will fill up a reservation form (Location, Classroom, Time, & Date).
My question is about checking the records typed before inserting it in database. Meaning if the LOCATION, CLASSROOM, TIME, and DATE were already inserted/taken/reserved in the database then, the system will prompt a message like "The Location, Date and Time were reserved already", else it will be inserted in the database. I run this code but still it records the same location, classroom, date, time. Is there something wrong with this code?
$res_location = isset($_POST['res_location']) ;
$res_classroom = isset($_POST['res_classroom']) ;
$res_inclusive_date = isset($_POST['res_inclusive_date']);
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ;
// Build the query
$query = sprintf("SELECT Location_Faculty FROM tbl_reservation WHERE Location_Faculty=%s AND Classroom=%s AND Inclusive_Date=%s AND Inclusive_Time=%s ",
GetSQLValueString($res_location, "text"),
GetSQLValueString($res_classroom, "text"),
GetSQLValueString($res_inclusive_date, "date"),
GetSQLValueString($res_inclusive_time_start, "date"));
$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
$num_rows = mysql_num_rows($result);
if( $num_rows >= 1){
// then the record already exists
echo "Duplicate entry";
}
else{
//insert query
}
It's SQL Injection free because of the "GetSQLValueString" function.