Duplicate insert into MySQL

Question

Im using the following code and testing it using WAMP on my localhost.

It works fine and inserts the data however for some reason it creates duplicate row.

Is there are reason why it makes it appear twice?

<?php
require "conn.php";
$name =$_POST["name"];
$surname = $_POST["surname"];
$age = $_POST["age"];
$username = $_POST["username"];
$userpass = $_POST["password"];

$mysql_qry = "insert into employee_data(name, surname, age, username, password) values ('$name', '$surname', '$age', '$username', '$userpass')";

$result = mysqli_query($conn, $mysql_qry);

if ($conn->query($mysql_qry) === TRUE){
    echo "insert success";
}
else{
    echo "Error:" .$mysql_qry . "<br> " . $conn->error;
}
$conn->close();
?>

Thank you

Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. — John Conde, Aug 29 '19 at 18:12
**Never store plain text passwords!** Please use **[PHP's built-in functions](//php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)** (and you should consider upgrading to a supported version of PHP). Make sure you **[don't escape passwords](//stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. — John Conde, Aug 29 '19 at 18:13

RiggsFolly · Accepted Answer · 2019-08-29T18:31:23.277

YES, you run the query TWICE, see comments in the code

<?php
require "conn.php";
$name =$_POST["name"];
$surname = $_POST["surname"];
$age = $_POST["age"];
$username = $_POST["username"];
$userpass = $_POST["password"];

$mysql_qry = "insert into employee_data
                        (name, surname, age, username, password) 
                values ('$name', '$surname', '$age', '$username', '$userpass')";

//ONCE HERE
$result = mysqli_query($conn, $mysql_qry);

//AND AGAIN HERE
if ($conn->query($mysql_qry) === TRUE){
    echo "insert success";
}
else{
    echo "Error:" .$mysql_qry . "<br> " . $conn->error;
}
$conn->close();
?>

ALSO Your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements in either the MYSQLI_ or PDO API's

Coded using prepared and bound queries

<?php
require "conn.php";

$sql = "insert into employee_data
                        (name, surname, age, username, password) 
                values (?,?,?,?,?)";

$stmt = $conn-prepare($sql);
$stmt->bind_param('sssss', $_POST["name"],
                            $_POST["surname"];
                            $_POST["username"];
                            $_POST["password"];

if ( $stmt->execute() ){
    echo "insert success";
}else{
    echo "Error:" .$mysql_qry . "<br> " . $conn->error;
}
$conn->close();
?>

Now I have to mention how bad it is to use Plain Text Password.

PHP provides password_hash() and password_verify() please use them. And here are some good ideas about passwords

@BBen also make sure that when you use password_hash() / password_verify() you write the query as `SELECT password FROM user WHERE username = :username` **do not include password column in the where** as `SELECT password FROM user WHERE username = :username AND password = :password` As RDMS are designed to return a result as quickly as possible in most cases in constant stabile time when indexes/buffer pools are involved a [Timing attack](https://en.wikipedia.org/wiki/Timing_attack) in the SQL engine can be possible — Raymond Nijland, Aug 29 '19 at 18:43
Do I also need to use prepared parameters for when I use mysqli_connect? Or sql injection cannot happen before I even connect to the data base? For example: $conn = mysqli_connect($server_name, $mysql_username, $mysql_password, $db_name); — Ben, Aug 29 '19 at 20:02

Duplicate insert into MySQL

1 Answers1