-2

i wanna insert form's data into different tables ,for exemple full name and email in patient table and appointment time in reserve table, the problem is patient table data inserts into it normally but reserve table remains empty ,i tried several times but nothing worked, so this is my try and if you cloud write a better code for me i would appreciate that

$sql= "INSERT INTO patient (fullname,phone,email) 
           VALUES ('$fullname','$phone','$email')";

$pid="SELECT idpatient FROM patient where email= '$email'" ;
$inst="INSERT INTO reserve ( apptime, patientID) VALUES ('$apptime','$pid' )";


if (mysqli_query($conn,$sql)  ){
    header ('Location:index.php#Reserve');
}else {
    echo 'ERROR'. mysqli_error($conn);
}

if (mysqli_query($conn,$inst) ){
    header ('Location:index.php#Reserve');
    echo $apptime;
} else {
    echo 'ERROR2'. mysqli_error($conn);
}

}
Somia
  • 1
  • 1
  • You're attempting to insert the string from $pid into your reserve, so it looks like `INSERT INTO reserve ( apptime, patientID) VALUES ('apptime','SELECT idpatient FROM patient where email= 'some@email.com'' )` This of course is not valid. – aynber May 10 '22 at 19:20
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 10 '22 at 19:22
  • Remove quotes around `'$pid'` if you want to do that – Dharman May 10 '22 at 19:23
  • 1
    By the way, getting the [insert_id](https://www.php.net/manual/en/mysqli.insert-id.php) would be a lot easier than running another query. – aynber May 10 '22 at 19:31
  • i removed '$pid' and nothing has changed same problem :( – Somia May 10 '22 at 19:39
  • `same problem`...which is? You didn't tell us what error you're getting. Fix the SQL injection problem, it will also reduce the risk of SQL syntax errors, which cannot do anything except help you. And yeah, use the last insert ID function to get the patient ID, instead of doing a separate SELECT. – ADyson May 10 '22 at 23:22

0 Answers0