Member Avatar for opawix 
if (@$_GET['action'] == "Save") 
if(@$_GET[idnum]==null || @$_GET[fname]==null || @$_GET[lname]==null||@$_GET[midin]==null||@$_GET[gender]==null||@$_GET[bdate]==null||@$_GET[course]==null||@$_GET[year]==null||@$_GET[address]==null||@$_GET[cnum]==null)
{

echo "<font size=5><center>Fill-Up First the Provided Information<br><button type=button onclick=history.back();>Back</button></center></font>";
}
else 

{
      @$result = mysql_query("insert into students      
(idnum,fname,lname,midin,gender,bdate,course,year,address,cnum)


VALUES ('$_GET[idnum]','$_GET[fname]','$_GET[lname]','$_GET[midin]','$_GET[gender]','$_GET[bdate]','$_GET[course]','$_GET[year]','$_GET[address]',
        '$_GET[cnum]')");





if(mysql_error())

{

echo "<font size=5><center>ID Number: $_GET[idnum]. Already Exist(it must be unique)<br><button type=button onclick=history.back();>Back</button></center></font>";
}


else
 {

echo "<font size=5><center>Record Successfully Added<br><button type=button onclick=history.back();>Back</button></center></font>";

             }

}

Dude could someone please make it a whole constraint a unique entry that will added on my sql database? just the fname/firstname and lname/lastname only. thanks in advance guys for someone who help. :D

  • 2 Contributors
  • 6 Replies
  • 301 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by opawix
Member Avatar for broj1

Make the ID of a record in your students table autoincrement and use it as a primary key. If this is not an option, check for existence of the record first with SELECT COUNT(*).

A note on security: do not use $_GET array values directly in your insert query since you are asking for SQL injection. Validate, sanitize and escape them first.

Member Avatar for opawix

i already set my ID A_I and set it primary. the issue here is duplication of firstname,lastname entry. $_GET will get the values input. my code is working. it just that it lack of constraint. by the way thank you dude. :D

Member Avatar for broj1

In that case first check whether the firstname/lastname pair already exist:

$fname = mysql_real-escape_str($_GET['fname']);
$lname = mysql_real-escape_str($_GET['lname']);

$check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";

If this query returns 1 (or more) rows the firstname/lastname pair is not unique.

Member Avatar for opawix

where do i integrate this code sir? i'm a total newbie. sorry sir.

Member Avatar for broj1

This is how I would do it:

<?php
if (@$_GET['action'] == "Save") {
    if(
        @$_GET[idnum]==null   || 
        @$_GET[fname]==null   || 
        @$_GET[lname]==null   ||
        @$_GET[midin]==null   ||
        @$_GET[gender]==null  ||
        @$_GET[bdate]==null   ||
        @$_GET[course]==null  ||
        @$_GET[year]==null    ||
        @$_GET[address]==null ||
        @$_GET[cnum]==null
    ) {

        echo "<font size=5><center>Fill-Up First the Provided Information<br>
        <button type=button onclick=history.back();>Back</button></center></font>";

    } else {

        // first check whether a combination of first name / last name
        // already exists in the students table

        // very important: escape the values before sending the query to the database
        $fname = mysql_real-escape_str($_GET['fname']);
        $lname = mysql_real-escape_str($_GET['lname']);
        $check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";

        // send the query to the database
        $result = mysql_query($check_qry);

        // get the number of rows returned
        $num_rows = mysql_num_rows($result);

        // if number of rows equals 1 or more than the combination of 
        // first name and last name already exists in the table
        if($num_rows >= 1) {

            echo "The person $fname $lname already exists in the database!";

        // if number of rows equals 0, do the insert query
        } else {

            // security first: escape all the values before inserting them in database
            $idnum    = mysql_real_escape_string($_GET['idnum']);
            $midin    = mysql_real_escape_string($_GET['midin']);
            $gender   = mysql_real_escape_string($_GET['gender']);
            $bdate    = mysql_real_escape_string($_GET['bdate']);
            $course   = mysql_real_escape_string($_GET['course']);
            $year     = mysql_real_escape_string($_GET['year']);
            $addressm = mysql_real_escape_string($_GET['address']);
            $cnum     = mysql_real_escape_string($_GET['cnum']);

            // prepare the insert query
            $ins_qry  = 'INSERT INTO students ';
            $ins_qry .= '(idnum,fname,lname,midin,gender,';
            $ins_qry .= 'bdate,course,year,address,cnum) ';
            $ins_qry .= 'VALUES ';
            $ins_qry .= "('$idnum','$fname','$lname','$midin','$gender',";
            $ins_qry .= "'$bdate','$course','$year','$addressm','$cnum')";

            // execute the query
            @$result = mysql_query($ins_qry);

            echo "<font size=5><center>Record Successfully Added<br>
                <button type=button onclick=history.back();>Back</button>
                </center></font>";
         }
    }
}

I put a SELECT COUNT(*) query before the INSERT query just to check whether the first name / last name pair already exists in the database. If it doesnt exist (number of rows = 0) then do the insert query. I got rid of the if(mysql_error()) block since it is not appropriate way to check for existing records. mysql_error can return true in other cases too (i.e the database server is down).

I have changed and formated your other code too. I made sure code is a bit closer to coding standards, I added some comments which helps everyone and most importantly I added minimum security measures: escaping the values before they go to the database.

Edited by broj1
Member Avatar for opawix

thank you for your great work sir. :D

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.