Need help on conditioning value in php

Question

I want that I have an error message if that idno has finish to registered in 2015, No need to unique the idno cause I have to redundant because every year that idno can be save or register on the database but the problem is I want to check if he already registered in 2015 or 2016 or 2017.

Here is my code in saving student information:

<?php

if (isset($_POST['save'])){
$stud_id= $_POST['stud_id'];
$idno = $_POST['idno'];
$lastname = $_POST['lastname'];
$firstname = $_POST['firstname'];
$middlename= $_POST['middlename'];
$year= $_POST['year'];
$dept_id = $_POST['dept_id'];
$progid = $_POST['progid'];
$user_type = $_POST['user_type'];
$password= $_POST['password'];
$syear= $_POST['syearid'];
$YearNow=Date('Y');

$sql = mysql_query("SELECT * FROM student where idno = '$idno'")or die(mysql_error());
$count = mysql_num_rows($sql);

$sql1 = mysql_query("SELECT * FROM student,school_year where    student.syearid = school_year.syearid AND school_year.from_year like $YearNow")or die(mysql_error());
$count1 = mysql_num_rows($sql1);


 if (don't know what to condition on this part ) {
    echo"idno $idno has already registered in that year";

}
else{

// query
$sql = "INSERT INTO student VALUES ('$stud_id','$idno','$dept_id','$progid','$syear','0','$lastname','$firstname','$middlename','$year','$password','$user_type')";
$result = mysql_query($sql) or die(mysql_error());



echo "<script type='text/javascript'>\n";
echo "alert('Successfully Added.');\n";
echo "window.location = 'addusers.php';";
echo "</script>";
}

?>

I need help to condition please I need help. Thanks

School_year table has(syearid(unique), from_year(2015), to_year(like 2016))

What a nice collection of SQL INJECTION security failures you have there. Why don't you use prepared statements? Why don't you escape the variables? Why do you copy all of them? — Sven, Dec 04 '15 at 01:25
I've already edit my question and it has the database structure — Mc Abhel Valerio, Dec 04 '15 at 01:51
I'm unclear on your particular requirements but maybe `$count >= 1 || $count1 >= 1`? Also you should close up the injection holes; and update your driver. I'd close the injection hole first; http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1. Your `like` also isn't using `%`s so it is basically an `=` and I don't understand why you'd `like` an integer.. (`like $YearNow`)... — chris85, Dec 04 '15 at 02:02

score 1 · Answer 1 · edited May 23 '17 at 10:28

1

Sanitize first your variables before you bind it to your query to prevent some of the SQL injections. You can use *_real_escape_string:

$lastname = mysql_real_escape_string($_POST['lastname']);

Do it for the rest of the passed on data.

And for your if() condition, you can do this (as pointed out already by @chris85):

if($count >= 1 || $count1 >= 1){

  echo "idno $idno has already registered in that year";

}

And please refrain from using mysql_* API because it is already deprecated, and should use mysqli_* or PDO instead.

edited May 23 '17 at 10:28

Community

1
1

answered Dec 04 '15 at 02:18

Logan Wayne

6,001
16
31
49

how to do that like this .., $stmt = $pdo->prepare('SELECT * FROM student WHERE idno = :idno'); $stmt->execute(array('idno' => $idno)); foreach ($stmt as $row) { // do something with $row }?? – Mc Abhel Valerio Dec 04 '15 at 02:32
I've just solved it and thanks – Mc Abhel Valerio Dec 08 '15 at 02:08
1

Great. Mc Abhel, you are online. Don't forget to mark as an Accepted Answer with the green check mark below the up and down arrows. If it solved your problem. That's how we roll on the stack. – Drew Mar 03 '16 at 02:40

Need help on conditioning value in php

1 Answers1

Linked