checking if record with some field exists

Hello,

I am new to PHP so I have done a research on how to check if an entry
exists on the table. I came up with the following code:

include("dbinfo.inc.php");
$Name=$_POST['Name'];
$Code=$_POST['Code'];
mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM Contacts WHERE Code=$Code");
if($row = mysql_fetch_array($result)) echo "exists";
else
{$query = "INSERT INTO Contacts VALUES ('','$Name','$Code')";
echo "ok";}
mysql_query($query);
mysql_close();

This works if the code is integer (1264), however if the code is
string (a4fg5h4) it shows - "Warning: mysql_fetch_array(): supplied
argument is not a valid MySQL result resource in D:\xampp\htdocs\reg
\insert.php on line 10
ok"

I can't found out what is the problem here as all the examples on the
web shows similar codes to do checking.

On May 18, 2:30 pm, mookid <raimundas.ju...@gmail.comwrote:

Quote:

Hello,
>
I am new to PHP so I have done a research on how to check if an entry
exists on the table. I came up with the following code:
>
include("dbinfo.inc.php");
$Name=$_POST['Name'];
$Code=$_POST['Code'];
mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM Contacts WHERE Code=$Code");
if($row = mysql_fetch_array($result)) echo "exists";
else
{$query = "INSERT INTO Contacts VALUES ('','$Name','$Code')";
echo "ok";}
mysql_query($query);
mysql_close();
>
This works if the code is integer (1264), however if the code is
string (a4fg5h4) it shows - "Warning: mysql_fetch_array(): supplied
argument is not a valid MySQL result resource in D:\xampp\htdocs\reg
\insert.php on line 10
ok"
>
I can't found out what is the problem here as all the examples on the
web shows similar codes to do checking.

In SQL, strings need to be quoted. That example puts $Code right into
the query without putting the code in quotes (use single-quotes).
Change the end of the query to:
WHERE Code='$Code'

I hope you realize that code is not production-quality. It is insecure/
breakable, $Code and $Name need to be escaped. You should replace the
second and third lines with something like:

$Name = isset( $_POST['Name'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';
$Code = isset( $_POST['Code'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';

-Mike PII

Yes, funny thing that I understood that just after posting this
question on the group. No, I am not aware that this code has flaws, I
have quite experience in Delphi, however I am new in PHP. I am writing
a code for key generator that will post name and code from desktop
application (using HTTP) to php to be written to database and return
the status back to the application (if it exists or not).

Mike P2 raš :

Quote:

In SQL, strings need to be quoted. That example puts $Code right into
the query without putting the code in quotes (use single-quotes).
Change the end of the query to:
WHERE Code='$Code'
>
I hope you realize that code is not production-quality. It is insecure/
breakable, $Code and $Name need to be escaped. You should replace the
second and third lines with something like:
>
$Name = isset( $_POST['Name'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';
$Code = isset( $_POST['Code'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';
>
-Mike PII

checking if record with some field exists

re: checking if record with some field exists

re: checking if record with some field exists

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about