0

This is my code,i want to check against empid if cli and callduration both are same and evaluated before it..then show this cli and call duration is already evaluated..if cli is same but duration is different then show start evaluation and also if cli and duration both are different then also show start evaluation.

The problem which i am facing is that my code is only check one statement like empid=1,cli=123,calldurations is 1min &01:01 then its check only 1 min duration and on 01:01 duration print the statement start evaluation..the code should show call is already evaluated..

<?php
$con = mysqli_connect("localhost","root","","usman");
$check = "SELECT COUNT(*) FROM eval WHERE empid = '$_POST[empid]' &&  cli =  '$_POST[cli]'  && callduration = '$_POST[callduration]' ";
$result = mysqli_query($con,$check);
$count = mysqli_fetch_array($result);
if(current($count) > 0) {
  echo "<tr><td>This call is already evaluated against </td></tr><tr><td> Emp-ID " . $_POST["empid"] . "</td></tr><tr><td>CLI - " . $_POST["cli"] . "</td></tr><tr><td>Call Duration - " . $_POST["callduration"] . "</td></tr>";
}
else
{
  echo "<a href='evaluationsheet.php?empid= ". $_GET["empid"] ." && agentname= ". $_GET["agentname"] ." && doj= ". $_GET["doj"] ." && department= ". $_GET["department"] ." && division= ". $_GET["division"] ." && designation= ". $_GET["designation"] ." && image= ". $_GET["image"] ." && cli= ". $_POST["cli"] ." && callduration= ". $_POST["callduration"] ."  '> Click Here To Start Evaluation </h1>";

}
?>
Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252
m.usman
  • 43
  • 7
  • 2
    I see the word "eval" and no prepared statements; that sounds scary. I hope this isn't a live or going live site. – Funk Forty Niner Oct 04 '16 at 13:32
  • 2
    You have an SQL Injection vulnerability, so first off rewrite to use a prepared statement: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Alex K. Oct 04 '16 at 13:32
  • @AlexK. how can i fix this issue??? – m.usman Oct 04 '16 at 13:37
  • @AlexK. the link u enter did not helpful for me – m.usman Oct 04 '16 at 13:43
  • I disagree, it is _very_ helpful. It will prevent your system from falling to automated scripts and malicious users. Something which _will_ cause you to lose all control of your site, have all of your user's details (including e-mail address, and the password they also use for it), having your server used as a spam-bot and everything else you most assuredly don't want to happen. – ChristianF Oct 04 '16 at 14:17
  • It'll also help make your code a lot easier to read, and thus understand. Which, frankly neither your question or code is at the moment. Which explains why people are reluctant to help you, as it requires a lot more effort to help than it seems you've put into actually asking the question. (After all, if you can't be bothered to take your time, why should we..?) Just a friendly tip. :) – ChristianF Oct 04 '16 at 14:19
  • Are you sending a `POST` request? ` – chris85 Oct 04 '16 at 14:26
  • @- chris85 thanks chris – m.usman Oct 06 '16 at 13:41

0 Answers0