0

I have one table called tbl_favorite. there two field called user_id and quote_id. I am passing this both field in parameter. I want check that user_id have any row with that quote_id. if its exist I want response like "already exist" else I want insert that data in table.

    <?php
header('Content-Type: application/json; Charset=UTF-8');
include("dbconnection.php");
$userid= $_GET['userid'];
$quoteid= $_GET['quoteid'];

// I am confused to write condition
$query= mysqli_query($conn,"SELECT fav_id FROM tbl_fav  WHERE  user_id='".$userid.'" AND fav_qu_id="'.$quoteid.'"");

if(mysqli_num_rows($query) > 0){

$response="already exist";

}
else{
$query= mysqli_query($conn,"INSERT INTO tbl_fav(user_id,fav_qu_id VALUE('".$userid."','".$quoteid."')");
$response['message']='success';

}
echo json_encode($response);
?>

my url is like below

example.com/api.php?user_id=1&&quote_id=1

I am getting error called Parse error: syntax error, unexpected '"'. Let me know if someone correct me. I am android developer and does not know proper PHP. Thanks

Priya
  • 1,602
  • 4
  • 22
  • 37
  • It's okay you've only got basic knowledge. The important thing here is you show what `mysqli` code you've got and we can help build on that. – tadman Sep 28 '17 at 19:11
  • this is not at all php question. Also, you need to show your query – Ravi Sep 28 '17 at 19:13
  • @tadman sir ! I have added code that I have. – Priya Sep 28 '17 at 19:15
  • That's a start, but there's no `mysqli` query code at all in there. You'll need to at least stub that in. – tadman Sep 28 '17 at 19:19
  • 1
    If you're at the very beginning you may want to investigate if [PDO](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) is a better plan here. `mysqli` is a very limited interface in comparison, and doesn't offer as many convenience features as PDO does. [PDO demystified](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) explains how it works. – tadman Sep 28 '17 at 19:21
  • I have edited code, let me know if someone can help me now. Thanks – Priya Sep 28 '17 at 19:44

1 Answers1

0
$resource = "SELECT * FROM tbl_favorite WHERE user_id='{$userid}' AND quote_id='{$quoteid}'";
$result = if (mysqli_query($query)){

    return true;

}

if ($result){
  echo "that quote exists within the given user";
}
EldinPHP
  • 13
  • 1
  • 3
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…”)` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Sep 28 '17 at 19:20
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Sep 28 '17 at 19:20
  • Of course.. OP please dont use this script I just sent above publicly, and if you are going to use it, sanitize user data first just as tadman said :) – EldinPHP Sep 28 '17 at 19:22
  • Be careful when giving examples that are hazardous. It's like handing someone a loaded gun. – tadman Sep 28 '17 at 19:23
  • You are right man.. but I am just trying to help.. but i will mention these things you just mentioned above every time someone asks similar questions. – EldinPHP Sep 28 '17 at 19:25
  • Help is appreciated. It only takes a moment to use `bind_param` and fix the issue and that can save a whole world of hurt later on. Hopefully if you write a lot of SQL interfacing code this should be a habit you can't ignore. – tadman Sep 28 '17 at 19:29