0

Good evening everyone, while studying i came across PHP if, else and elseif statements. I am trying to put if and else to use but the IF statement is really not working. Maybe I'm missing a tiny detail. The code is suposed to check if the username is already in the table and then skip. Any help will be greatly appreciated. If this question has been answered here, kindly point me to teh URL

<?php
include 'inc.dbcon.php';
// Report all errors
error_reporting(E_ALL);

$username = mysqli_real_escape_string($con, $_POST['username'][0]);
$school = mysqli_real_escape_string($con, $_POST['school'][0]);
$candname = $_POST['candname'];

$query = mysqli_query($con, "SELECT * FROM parlia_votes WHERE username='".$username."'");
if(mysqli_num_rows($query) > 0) {
?>
<script>
    alert('Vote has already been cast.');
    window.location = 'logout.php'; 
</script>
<?php
}
else
    foreach ($_POST['candname'] as $candname) {
        $query = sprintf("INSERT INTO parlia_votes (username, school, candname) VALUES ('%s', '%s', '%s')", $username, $school, $candname);
        ?>
        <script>alert('Thank you for casting your votes.');</script>
        <script>window.location = 'logout.php'; </script>
        <?php
        $con->query($query);
    }
?>

PS: I'm using a foreach loop to post to database. thanks

Iłya Bursov
  • 23,342
  • 4
  • 33
  • 57
Felicity Okache
  • 47
  • 5
  • 1
    What, specifically, is not working? – Sloan Thrasher Jul 24 '17 at 20:20
  • The else is missing the opening curly bracket – LordNeo Jul 24 '17 at 20:21
  • 2
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation, concatenation or `sprintf` to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). Accidentally unescaped data is a serious risk. Using bound parameters is less verbose and easier to review to check you’re doing it properly. – tadman Jul 24 '17 at 20:22
  • @LordNeo else does not use brackets at all here, foreach has both { and } – Iłya Bursov Jul 24 '17 at 20:23
  • ok... let me give it a try – Felicity Okache Jul 24 '17 at 20:23
  • One advantage to prepared statements with placeholder values is you can prepare once, then execute the query multiple times with different data. That will really simplify your `for` loop here. – tadman Jul 24 '17 at 20:23
  • `$_POST['X'][0]` implies a wider array (than a single) and your statement of: *"The code is suposed to check if the username is already in the table"* - seems to contradict this. You may need to update your question to contain the HTML/form for this. – Funk Forty Niner Jul 24 '17 at 20:24
  • @IlyaBursov yup, you're right, the user needs to specify what's not working or what error is getting. – LordNeo Jul 24 '17 at 20:27
  • @LordNeo the curly brackets worked – Felicity Okache Jul 24 '17 at 20:31
  • Well that's just confusing, else without curly brackets is perfectly valid in this instance. – WheatBeak Jul 24 '17 at 20:33
  • @llyaBursov i wasn't getting any error, pop mesaage shows that the data already exist but it goes on to add the record to the table – Felicity Okache Jul 24 '17 at 20:33
  • 1
    Tell me, what shows up when you use error reporting? http://php.net/manual/en/function.error-reporting.php a parse error perhaps? – Funk Forty Niner Jul 24 '17 at 20:34
  • thanks everyone, i'll work on the areas that you have all pointed out and come up with a better version of my code – Felicity Okache Jul 24 '17 at 20:36
  • @FelicityOkache [This was a question...](https://stackoverflow.com/questions/45289350/database-query-not-working-well-with-php#comment77541505_45289350); can I too get an answer from this? – Funk Forty Niner Jul 24 '17 at 20:42

0 Answers0