is their any logical error in my php code?

Question

This is a part of a small banishment system reposed on the value of the $var how's equal to $_GET['id']

the problem occurred when i attempt to test the code, in the first execution with a false value of $_GET['id'] (not_numeric or <= 0) the code insert correctly the ip in the table but he increment the attempt value by 1, knowing that (attempt) is int(11) in my table without AUTO-INCREMENT or special property so i found the row in the table like this :

id : 1, ip : 192.168.1.X, attempt : 2

id : 1, ip : 192.168.1.X, attempt : 4 (in the second execution of a false value of $_GET['id'])

id : 1, ip : 192.168.1.X, attempt : 6 (in the third execution of a false value of $_GET['id'])

and so on, its always incremented BY 2.

<?php
$ip="192.168.1.11";
$var=1;
if(isset($var))
{
    if(is_numeric($var) AND $var >=1)
    {
        $var=$var;
    }
    else
    {
        $var=null;
        $msg[]="::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::";
        $query="SELECT * FROM table WHERE ip = '$ip'";
        if(($result=$mysql_link->query($query)) AND ($result->num_rows > 0))
        {
            $row = $result->fetch_assoc();
            $current_score_of_attmpt=$row['attempt'];
            $new_score_of_attmpt=$current_score_of_attmpt+1;
            $result->free();
            $query = "UPDATE table SET attempt = attempt +1 WHERE ip = '$ip'";
            if($mysql_link->query($query)===TRUE) {
                $msg[]="We have Updated your score of attempt to $new_score_of_attmpt";
                $msg[]="::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::";
            }
            else
            {
                echo "Update Error: ".$query."<br>".$mysql_link->error;
            }
        }
        elseif(!($mysql_link->error)) 
        {
            $query ="INSERT INTO table (ip, attempt) VALUES ('$ip', 1)";
            if($mysqli_link->query($query)===TRUE)
            {
            $msg[]="Its Your First Attempt";
            }
            else
            {
                echo "Update Error: ".$query."<br>".$mysql_link->error;
            }
        }
        else
        {
            echo "SELECT Error: ".$query."<br>".$mysql_link->error;
        }
    }
}
else
{
    $var=null;
} 

echo "<br> the value of var = ".$var;
if(isset($msg))
{
    for($i=1; $i<=sizeof($msg); $i++)
    {
        echo "<br>".$i.") ".$msg[$i];
    }
}

*"is their any error in my php code ?"* - check for errors and find out for yourself. — Funk Forty Niner, Jul 01 '16 at 15:02
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jul 01 '16 at 15:03
i can't use prepared statement because i'm using variables in the tables names — Abdessamad Ezaimi, Jul 01 '16 at 15:07
when i said in the title error i don't mean PHP error but logical error algorithm error ! — Abdessamad Ezaimi, Jul 01 '16 at 15:11
as of your problem, it's wrong implementation of seo-friendly links — Your Common Sense, Jul 01 '16 at 15:15
There's no such thing as "can't use prepared statement", only "won't" — Mark Baker, Jul 01 '16 at 15:15
You can still use prepared statements with interpolated table names... — CD001, Jul 01 '16 at 15:15
yeah :: i can use the prepare statement if i use switch for changing the value of SQL-query thanks for your replies :) but still i have to know what's wrong in the code ? — Abdessamad Ezaimi, Jul 01 '16 at 15:25
This can be a result of a browser pre-fetch (as you use a GET method to update the table), like a browser launch page (some browsers pre-cache favourites). — Progrock, Jul 01 '16 at 15:40
@Progrock the issue is much simpler, however browser related. The Op should implement their seo-friendly urls properly — Your Common Sense, Jul 01 '16 at 15:40

score 1 · Answer 1 · answered Jul 02 '16 at 17:17

1

i found that the code had nothing to do with the problem the reason why it was executing tow times is that in my HTML Template i forgot to define the full Path(URL) of the webapp icon. i left it blank

<link href="" rel="icon">

answered Jul 02 '16 at 17:17

Abdessamad Ezaimi

31
6

I've also seen browsers pre-fetching favourite web pages and doing something similar. – Progrock Jul 03 '16 at 10:16

is their any logical error in my php code?

1 Answers1