1

i've a registration form & im trying to insert data if 'ID' doesn't exists. its working fine. now im trying to update data if 'ID' already exists. it's not working at all & i couldn't find the error. here is the condition i set if ID exists or not:

function staff_detail_exist($ic) {    
    $result = null;
    $sql = "SELECT * FROM apply WHERE staffid = '$ic'";
    $data = mysql_query($sql);

    if (mysql_num_rows($data) == 0) {    
        $result = "available";
    } else {    
        $result = "exist";
    }

    return $result;
}

and here is my insert & update function:

 if (staff_detail_exist($ic) == "available") {

    insert_staff_detail($ic, $name, $contact, $mail, $address, $paytype, $applicant);
    echo "Workshop application successful! You will be notified shortly via E-mail after confirmation! Thank You!";
} 
else if (staff_detail_exist($ic) == "exist") {

    update_staff_detail($ic, $name, $contact, $mail, $address, $paytype);
    echo  "Staff Details Updated!" ;
}

function insert_staff_detail($ic, $name, $contact, $mail, $address, $paytype, $applicant) {

    $sql = "INSERT INTO apply (staffid, staffname, staffno, staffemail, staffaddress, paytype, applicant) VALUES ('$ic', '$name', '$contact', '$mail', '$address','$paytype', '$applicant')";
    mysql_query($sql);
}

function update_staff_detail($ic, $name, $contact, $mail, $address, $paytype){
    $sql = "UPDATE apply 
            SET staffname='$_POST[name]',
            staffno='$_POST[contact]',
            staffmail='$_POST[mail]',
            address='$_POST[address]',
            paytype='$_POST[paytype]'
            WHERE staffid='$_POST[ic]'";
    mysql_query($sql);
}

any suggestion please? thanks!

Improve this question
9
  • This code would be vulnerable to an sql injection attack. Commented Dec 10, 2012 at 2:47
  • 1
    By not sanitizing data taken from the user before it is inserted into the database. Commented Dec 10, 2012 at 2:55
  • 1
    Btw, is there a reason why update_staff_detail() is ignoring it's parameters and using the $_POST variables? Could that be your problem? Commented Dec 10, 2012 at 2:58
  • 1
    Any time to take into from the user, you need to make sure you sanitize the information. They may pass in information that drop all your tables in the DB, for example. Look at bobby-tables.com for a starting example. Commented Dec 10, 2012 at 3:01
  • 1
    @Atik We're not your "bros." Commented Dec 10, 2012 at 3:01

1 Answer 1

Reset to default
1

Observation: You must indicate when you receive POST variables. The update_staff_detail method should receive POST variables in the same way you get the insert_staff_detail method.

Change: Definition of update_staff_detail

To:

function update_staff_detail($ic, $name, $contact, $mail, $address, $paytype){
    $sql = "UPDATE apply 
            SET staffname='$name',
            staffno='$contact',
            staffmail='$mail',
            address='$address',
            paytype='$paytype'
            WHERE staffid='$ic' LIMIT 1";
    mysql_query($sql);
}

Regards.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Perhaps a LIMIT 1 would be well suited for this.
Would help you enter the complete code you receive insert_staff_detail method from POST variables.
i used this to get values from from: ` $ic = mysql_real_escape_string($_POST['ic']); $name = mysql_real_escape_string($_POST['name']); $contact = mysql_real_escape_string($_POST['contact']); $mail = mysql_real_escape_string($_POST['mail']); $address = mysql_real_escape_string($_POST['address']); $paytype = mysql_real_escape_string($_POST['paytype']); $applicant = mysql_real_escape_string($_POST['applicant']);`

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.