-5

I am creating a form that collects data and sends to a database using php, with a code snippet i got online.

$con=mysqli_connect("localhost","root","famakin","k");
if(mysqli_connect_errno())
{
   echo"FailedtoconnecttoMySQL:".mysqli_connect_error();
}
$sql="INSERT INTO transactions(Username,Insured_Name,combined,Residential_Address,Telephone,Email,Make_Of_Car,Model,Engine_Number,Year_Of_Manufacture,Chassis_Number,Vehicle_Class,Colour,Registeration_Number,Product_Type,Premium,Policy_Number,Start_Date,Expiry_Date,Date_Begin,Type_Of_Insurance,Status,  Transaction_id)VALUES('$_POST[Username]','$_POST[Insured_Name]','$_POST[combined]','$_POST[Residential_Address]','$_POST[Telephone]','$_POST[Email]','$_POST[Make_Of_Car]','$_POST[Model]','$_POST[Engine_Number]','$_POST[Year_Of_Manufacture]','$_POST[Chassis_Number]','$_POST[Vehicle_Class]','$_POST[Colour]','$_POST[Registeration_Number]','$_POST[Product_Type]','$_POST[Premium]','$_POST[Policy_Number]','$_POST[Date]','$_POST[Date_Expiry]','$_POST[Date_Begin]','$_POST[Type_Of_Insurance]','$_POST[Status]','$_POST[Transaction_id]')";
if(!mysqli_query($con,$sql))
{
   die('Error:'.mysqli_error($con));
}
mysqli_close($con);

This works for inserting details into the database,but i want to check if for example the username in which i am inserting into the database exists,please how do i go about this with what i have already?

regards

Bhumi Shah
  • 9,323
  • 7
  • 63
  • 104
stack stack
  • 55
  • 1
  • 2
  • 8

4 Answers4

4

There are two main approaches, essentially...

  1. SELECT from the database before trying to INSERT. If the record is found by the SELECT, don't perform the INSERT and instead respond to the user accordingly.
  2. Place a UNIQUE constraint on the column (or set of columns) which needs to be unique in the table. This would cause the INSERT to fail, and the code would have to catch and handle that failure and respond to the user accordingly.

The second option puts the responsibility squarely on the database itself, which is important if anything else if ever going to use that database and needs to maintain that same responsibility.

Also, and this is important, please note that your code is open to SQL injection attacks, which allows users to execute their own code on your server. You'll want to read up on that so you can protect your application.

David
  • 208,112
  • 36
  • 198
  • 279
4

Here, you can do it via mysqli_num_rows():

$username = mysqli_real_escape_string($con, $_POST['Username']);
$check_select = mysqli_query("SELECT * FROM `transactions` WHERE Username = '$username'"); 

$numrows=mysqli_num_rows($check_select);

if($numrows > 0){

// do something

}

else{

// do something else

}

Although there are other ways to do this, it is but one example.

You can avoid this by also setting your column(s) as UNIQUE.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
2

Just do a SELECT query before the INSERT. If a record with that username exists then don't insert the record.

danmullen
  • 2,556
  • 3
  • 20
  • 28
1

Well before you insert one you want to query for it's existence (please refer to Google on how to "Select data from Database PHP").

If that select count(*) from Transactions.... where Username =.. returns something other than 0 the username is already taken.

Note: I have bigger concerns about the fact you include POST-Parameters directly into your SQL-Query string and recommend you read something about "SQL Injection PHP".

I wrestled a bear once.
  • 22,983
  • 19
  • 69
  • 116
JBA
  • 2,769
  • 5
  • 24
  • 40