-2

suppose you have site that users can submit their names to participate in some classes.the users will fill a form,then hit submit,and their names and telephone numbers will go to a table in a mysql database.the thing I want to do is that I want to prevent a user to submit his/her name twice by checking if the phone numbers are the same(I know it is silly this way,but I am just saying as an example).so what should I do?I am using this method to insert the form data into the data base:

    $pdo = new PDO('mysql:host=localhost;dbname=form', 'formuser', 'password');
    $fname = $_REQUEST['fname']; //first name from the form
    $lname = $_REQUEST['lname']; //last name from the form
    $pnumber = $_REQUEST['pnumber']   //phone number from the form
    $query = 'INSERT INTO list SET
          firstname = "' . $fname . '",
          lastname = "' . $lname . '",
          phonenumber ="' . $pnumber . '",
          date = CURDATE()';
    $pdo->exec($query);

And I know this is not a safe way to insert data into the database.again I am trying to figure out a way and then deploy better solutions for submitting the data.

roostaamir
  • 1,928
  • 5
  • 24
  • 51
  • 3
    using pdo doesnot mean that you are safe from sql injection your code is still vulnerable to sql injection you need to use prepared statement – NullPoiиteя Apr 01 '13 at 08:03
  • as I said,I know this code is not safe at all.I just skipped the prepared statements(and other security things) to simplify the code.But thanks for telling anyway – roostaamir Apr 01 '13 at 08:05
  • Crazy idea. If you want to see if data already exists in the table, try `SELECT`ing it. `SELECT COUNT(*) FROM list WHERE phonenumber = ?`. – DCoder Apr 01 '13 at 08:06
  • Introducing an injection issue is not simplifying things but the opposite. Also you can benefit from better error handling: http://stackoverflow.com/a/2104519/367456 – hakre Apr 01 '13 at 08:06
  • @hakre.I am not going to do this kind of coding for real.I just wanted my code to be short.that's all – roostaamir Apr 01 '13 at 08:12

2 Answers2

1

Fristly you need to check the telephone number
if (isset($_POST['your_button']))
{
$phone = $_POST['phonenumber'];
$query = "SElECT * FROM LIST WHERe phonenumber = '$phone'";
$result=mysql_query($query) or die(mysql_error());
$row=mysql_fetch_array($result);
if($row>0){
echo "phone number exist!"}
else{

$fname = $_REQUEST['fname']; //first name from the form
$lname = $_REQUEST['lname']; //last name from the form
$pnumber = $_REQUEST['pnumber'] //phone number from the form
$query = 'INSERT INTO list SET
firstname = "' . $fname . '",
lastname = "' . $lname . '",
phonenumber ="' . $pnumber . '",
date = CURDATE()';
$pdo->exec($query);

}

user2218255
  • 62
  • 5
1

Just like what you have said in your question, your communication with table is unsafe.

But to answer your question, here is a sample query:

SELECT IF(COUNT(*) > 0, TRUE, FALSE)
    FROM list
    WHERE firstname = $fname
        AND lastname = $lname
        AND phonenumber = $pnumber

I'm not familiar with php, maybe you can work that out. The query outputs TRUE if there is a duplicate first name, last name and phone number. If the query outputs TRUE, you can prevent from inserting the records to your table.

KaeL
  • 3,639
  • 2
  • 28
  • 56