0

I would like to ask something here. now I make form that insert data into table. this table kemaskini that already have

+------+----------+----------+
|  no  |    Item  | kuantiti |    
+------+----------+----------+
|  1   | Speaker  |   10     |
+------+----------+----------+
|  2   | Laptop   |   10     |
+------+----------+----------+
|  3   | Mouse    |   10     |
+------+----------+----------+

when I type "Speaker" in form then I submit it. it trace and say try again. it because already have. coding that I write here. it only trace row 1 of table kemaskini. when I type "Laptop" in form then I submit it. it insert normally.

i more thing how I can trace "Speaker" and "speaker" are same.

        if (isset($_POST['submit']))
        { 
        $result = mysql_query("SELECT Item FROM kemaskini");
        $test = mysql_fetch_array($result);
        $trace=$test['Item'];


        if($_POST['Item']==$trace)
        {

        echo "Try Again";

        }

        else
        {   
        $item=$_POST['Item'] ;
        $kuantiti= $_POST['kuantiti'] ; 

        mysql_query("INSERT INTO `kemaskini`(Item,kuantiti) 
        VALUES ('$item','$kuantiti')"); 

        header("Location: kemaskini.php");

        }
        }
John Woo
  • 258,903
  • 69
  • 498
  • 492
Fahmi Nazirul
  • 41
  • 7

2 Answers2

1

The reason for that is because you are not looping the result from mysql_fetch_array() that is why you are only checking for the first value of the result. If you don't want to Iterate, you can change the query into:

$itemToSearch = "Speaker";
$result = mysql_query("SELECT COUNT(*) result 
                       FROM kemaskini
                       WHERE Item = '$itemToSearch'")

which will give you the total number of items found,

$test = mysql_fetch_array($result);
$trace = $test['result'];

if($trace > 0)
{
    echo "Try Again";
}
else
{
 // insert value
}

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • sir, I try it.. it work BUT i try i insert like Phone. it display Try Again. .. it trace like Phone already have but Phone not insert yet. – Fahmi Nazirul Mar 24 '13 at 04:09
0

Regarding, how can you trace "Speaker" and "speaker" are the same, you can use the upper() or lower() function that most database engines support. I don't work with mysql so I am going on an assumption here. Your check would be something like this:

select count(*) records 
from kemaskini
where lower(item) = 'speaker'

Having said that, I have to warn you that using functions in the where clause like this make your queries run slower.

If JW's comment about PreparedStatements includes using query parameters (I don't work with php either), it's very good advice. Not only do they increase the security of your applications, but they escape special characters such as apostrophes. Since you are doing a character search, you would not want your query to crash if the user submitted something like "Dave's keyboard" to your application.

Dan Bracuk
  • 20,699
  • 4
  • 26
  • 43