By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,009 Members | 1,643 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,009 IT Pros & Developers. It's quick & easy.

checking if record with some field exists

P: n/a
Hello,

I am new to PHP so I have done a research on how to check if an entry
exists on the table. I came up with the following code:

include("dbinfo.inc.php");
$Name=$_POST['Name'];
$Code=$_POST['Code'];
mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM Contacts WHERE Code=$Code");
if($row = mysql_fetch_array($result)) echo "exists";
else
{$query = "INSERT INTO Contacts VALUES ('','$Name','$Code')";
echo "ok";}
mysql_query($query);
mysql_close();

This works if the code is integer (1264), however if the code is
string (a4fg5h4) it shows - "Warning: mysql_fetch_array(): supplied
argument is not a valid MySQL result resource in D:\xampp\htdocs\reg
\insert.php on line 10
ok"

I can't found out what is the problem here as all the examples on the
web shows similar codes to do checking.

May 18 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On May 18, 2:30 pm, mookid <raimundas.ju...@gmail.comwrote:
Hello,

I am new to PHP so I have done a research on how to check if an entry
exists on the table. I came up with the following code:

include("dbinfo.inc.php");
$Name=$_POST['Name'];
$Code=$_POST['Code'];
mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM Contacts WHERE Code=$Code");
if($row = mysql_fetch_array($result)) echo "exists";
else
{$query = "INSERT INTO Contacts VALUES ('','$Name','$Code')";
echo "ok";}
mysql_query($query);
mysql_close();

This works if the code is integer (1264), however if the code is
string (a4fg5h4) it shows - "Warning: mysql_fetch_array(): supplied
argument is not a valid MySQL result resource in D:\xampp\htdocs\reg
\insert.php on line 10
ok"

I can't found out what is the problem here as all the examples on the
web shows similar codes to do checking.
In SQL, strings need to be quoted. That example puts $Code right into
the query without putting the code in quotes (use single-quotes).
Change the end of the query to:
WHERE Code='$Code'

I hope you realize that code is not production-quality. It is insecure/
breakable, $Code and $Name need to be escaped. You should replace the
second and third lines with something like:

$Name = isset( $_POST['Name'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';
$Code = isset( $_POST['Code'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';

-Mike PII

May 18 '07 #2

P: n/a
Yes, funny thing that I understood that just after posting this
question on the group. No, I am not aware that this code has flaws, I
have quite experience in Delphi, however I am new in PHP. I am writing
a code for key generator that will post name and code from desktop
application (using HTTP) to php to be written to database and return
the status back to the application (if it exists or not).

Mike P2 raš :
In SQL, strings need to be quoted. That example puts $Code right into
the query without putting the code in quotes (use single-quotes).
Change the end of the query to:
WHERE Code='$Code'

I hope you realize that code is not production-quality. It is insecure/
breakable, $Code and $Name need to be escaped. You should replace the
second and third lines with something like:

$Name = isset( $_POST['Name'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';
$Code = isset( $_POST['Code'] )
? mysql_real_escape_string( $_POST['Name'] )
: '';

-Mike PII
May 18 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.