-4
include "../connect/DB.php";
include('header.php');
if (isset($_POST['submit'])){

    $fname              = $_POST['name'];
    $lname              = $_POST['lname'];
    $gender             = $_POST['gender'];
    $num1               = $_POST['num1'];
    $num2               = $_POST['num2'];
    $ltr                = $_POST['ltr'];
    $num3               = $_POST['num3'];
    $id_number          = $num1."-".$num2."-".$ltr."-".$num3;
    $month0             = $_POST['month0'];
    $date0              = $_POST['dt0'];
    $year0              = $_POST['year0'];
    $dob                = $date0."-".$month0."-".$year0;
    $address            = $_POST['address'];
    $email              = $_POST['email'];
    $mobile             = $_POST['mobile'];
    $reg_number         = $_POST['reg_num'];
    $university         = $_POST['university'];
    $college_supervisor = $_POST['college_supervisor'];
    $programme          = $_POST['programme'];
    $work_sup           = $_POST['work_sup'];
    $month              = $_POST['month'];
    $date               = $_POST['dt'];
    $year               = $_POST['year'];
    $month1             = $_POST['month1'];
    $date1              = $_POST['dt1'];
    $year1              = $_POST['year1'];
    $attach_from        = $date."-".$month."-".$year;       
    $attach_to          = $date1."-".$month1."-".$year1;

    $checkQuery = mysqli_query($con, "SELECT * FROM `student` WHERE `reg_number`='".$reg_number."'");
    if (mysqli_num_rows($checkQuery) > 0)
    {
echo '<script type="text/javascript">alert("This Registration Number" .$reg. " already exists");window.history.go(-1);</script>';
    }
    else{

        $sqli = "INSERT INTO `student` VALUES (0,'".$fname."','".$lname."','".$id_number."','".$gender."','".$mobile."','".$email."','".$address."','".$reg_number."','".$university."','".$college_supervisor."','".$programme."','".$work_sup."','".$attach_from."','".$attach_to."')" or die(mysql_error('technical error'));

        if ($dbo->query($sqli) === TRUE) {
            echo '<script type="text/javascript">alert("Successfully registered!");window.history.go(-1);</script>';
        }
    }
}
?>
Mörre
  • 5,699
  • 6
  • 38
  • 63
Yaprecia
  • 1
  • It is posting to the database but its not returning the messages like 'Successfully registered!' I'm stuck – Yaprecia Jan 22 '15 at 08:36

1 Answers1

1
$sqli = "INSERT INTO `student`...." or die(mysql_error('technical error'));

Where do you execute the query? Nowhere, and that's your smallest error :) The biggest one in that code can take the whole database down.

Please dont say that $dbo->query($sqli) executes your query because there is no $dbo object in that code. It has a mix of mysql and mysqli and none of them is named $dbo

How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Hanky Panky
  • 46,730
  • 8
  • 72
  • 95