I want to test if user enter incorrect file number and ic, the message "Inccorect ref no and ic no" will shown, but it didn't work like that. It always shown the message "Thanks you for register attendance with us." Help me please..I'm new.
<?php
require "init.php";
$file_number = $_POST["file_number"];
$ic_no = $_POST["ic_no"];
$attendance = $_POST["attendance"];
//$ic_no = $_REQUEST['ic_no'];
$sql = "INSERT INTO reg_attend(file_number,ic_no,attendance) SELECT reg_meeting.file_number,reg_staff.ic_no,'".$attendance."' FROM reg_meeting,reg_staff WHERE (reg_meeting.file_number = '".$file_number."' AND reg_staff.ic_no = '".$ic_no."')";
$result = mysqli_query($conn,$sql);
$response = array();
if($result)
{
//var_dump($result);
$code = "reg_success";
$message = "Thanks you for register attendance with us.";
array_push($response,array("code"=>$code,"message"=>$message));
echo json_encode($response);
}
else
{
$code = "reg_failed";
$message = "Incorrect REF No. and IC No.";
array_push($response,array("code"=>$code,"message"=>$message));
echo json_encode($response);;
}
mysqli_close($conn);
?>
You need to validate your incoming data before you insert into your DB. It looks like currently, you will be inserting empty values into your reg_attend table. As this is likely successful, you will not be reaching the else.
If you need to validate that the passed in data exists, do a select first e.g.
SELECT reg_meeting.file_number,reg_staff.ic_no,'".$attendance."' FROM reg_meeting,reg_staff WHERE (reg_meeting.file_number = '".$file_number."' AND reg_staff.ic_no = '".$ic_no."')"
then check the results of that, before inserting.
As a side note, please please DO NOT use this code as shown. You should prefer to use query parameters with either PDO or mysqli. See https://www.php.net/manual/en/pdo.prepare.php
Related
I'm creating a function where user cannot claim today's money transaction in their account. But still can view their today's transaction. So I wanted to create a message to inform user that if user want's to claim their today's transaction, they cannot do that. They will have to comeback tomorrow if they want. This is what I'have tried but it's not working and it did not show the message.
I'm trying to display the message of Comeback tomorrow!
$connection = mysqli_connect("lolo", "hahaha", "", "eh");
$ql = "UPDATE kola SET setatus ='upgrade' WHERE ID = 'opopo1' AND
DATE(date) !=CURRENT_DATE() ";
$ql_claim = mysqli_query($connection, $ql);
if (mysqli_affected_rows($ql_claim) > 0) {
echo "<script>alert('Successful!')</script>";
echo "<script>window.location = 'nextPage.php'</script>";
} else
echo "<script>alert('Comeback tomorrow!')</script>";
}
I wanted to display the Comeback tomorrow alert but my alert are not working.
I noticed that there is an curly bracket { is missing in your code after else condition, so I updated your code.
$conn = new mysqli("lolo","hahaha","", "eh");
$status = "upgrade";
$id = "opopo1";
$ql_claim = $conn->prepare("UPDATE kola SET setatus = ? WHERE ID = ? AND DATE(date) != CURRENT_DATE()");
$ql_claim->bind_param("ss", $status, $id);
$ql_claim->execute();
if($ql_claim->affected_rows > 0 ) {
echo "<script>
alert('Successful!');
window.location = 'nextPage.php';
</script>";
}
else{
echo "<script>
alert('Comeback tomorrow!');
</script>";
}
Note: Please always use Prepared statements while Selecting, Updating, Inserting, or Deleting query in MySQL to avoid SQL Injection attack.
I am trying to build a email verification. Sending an email with a link to the user is working. Now I want to set active = 1 when the user clicks on the link wich he received. I have checked the variables $email and $key they are getting the right information from the url. When the active is set to 1 I want to echo an ahref to login.php. I think there is someting wrong in my SQL query can somebody help?
<?php
if (isset($_GET['email'])) {
$email = $_GET['email'];
}
if (isset($_GET['hash'])){
$key = $_GET['hash'];
}
$query = $mysqli->query("UPDATE `users` SET active=1 WHERE `email` = '". $email ."' AND `mailcheck` ='". $key ."' ");
$result = $query->fetch_row();
if($result == 1){
echo "Your account is now active. You may now Log in";
}
else {
echo "Your account could not be activated. Please recheck the link or contact the system administrator. test";
}
}
?>
Hold on here. fetch_row() http://php.net/manual/en/mysqli-result.fetch-row.php is for a SELECT and not UPDATE.
What you're looking to use is mysqli_affected_rows()
http://php.net/manual/en/mysqli.affected-rows.php
on UPDATE in order to check if the update was successful.
If you're looking to do a SELECT here (which makes more sense really), then you need to use mysqli_num_rows(), and if both exists, then do the UPDATE.
http://php.net/manual/en/mysqli-result.num-rows.php
You should also check for errors against your query:
http://php.net/manual/en/mysqli.error.php
If a row/user exists:
Consult an answer of mine https://stackoverflow.com/a/22253579/1415724 to check if a user exists, where you can base yourself on it.
Plus, a suggestion. Use !empty() instead of isset(). It's usually best to check against values.
What would also work better is to check if any are empty, rather than 2 conditional statements.
If one is left empty, your code will continue to execute and in turn, your query failing.
If you want to keep your present method, then you should exit; after each GET, but I wouldn't recommend it.
More like:
if ( !empty($_GET['email']) && !empty($_GET['hash']) ) {
$email = $_GET['email'];
$key = $_GET['hash'];
}
else{ exit; }
Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.
The problem is because of the following line,
$result = $query->fetch_row();
You're trying to do UPDATE operation but you're actually fetching the result row using ->fetch_row() statement, which by the way doesn't exist because UPDATE operation doesn't return any result set.
Use ->affected_rows property to get the number of affected rows from the UPDATE operation, like this:
$mysqli->query("UPDATE `users` SET active=1 WHERE `email` = '". $email ."' AND `mailcheck` ='". $key ."'");
if($mysqli->affected_rows == 1){
echo "Your account is now active. You may now Log in";
}else{
echo "Your account could not be activated. Please recheck the link or contact the system administrator.";
}
Here's the reference:
mysqli::$affected_rows
Edited:
Your code on the validation page should be like this:
if(isset($_GET['email']) && isset($_GET['hash'])){
$email = htmlentities($_GET['email']);
$key = htmlentities($_GET['hash']);
$mysqli->query("UPDATE `users` SET active=1 WHERE `email` = '". $email ."' AND `mailcheck` ='". $key ."'");
if($mysqli->affected_rows){
echo "Your account is now active. You may now Log in";
}else{
echo "Your account could not be activated. Please recheck the link or contact the system administrator.";
}
}else{
echo "wrong parameters.";
}
Re-edited:
After extensive debugging with OP the issue is resolved now, and this is the final working code,
if (isset($_GET['email']) && isset($_GET['hash'])) {
$email = $_GET['email'];
$key = $_GET['hash'];
$mysqli->query("UPDATE `users` SET active=1 WHERE `email` = '". $email ."' AND `mailcheck` ='". $key ."' ");
if($mysqli->affected_rows) {
echo "Your account is now active";
}else {
echo "Failed";
}
}
I'm trying to use PHP to enter data from a form. When I try to enter duplicate data a bad message pops like
Something went wrong with this:
INSERT INTO customer VALUES('jamie9422','Jamie Lannister','sept of baelor','jamie#cersei.com',9422222222,0) Duplicate entry 'jamie9422' for key 'PRIMARY' "
Instead, I want to display a clean error message. How can I do that. Here's my code I've written so far...
<?php
include_once "dbConnect.php";
$connection=connectDB();
if(!$connection)
{
die("Couldn't connect to the database");
}
$tempEmail = strpos("{$_POST["email"]}","#");
$customer_id=substr("{$_POST["email"]}",0,$tempEmail).substr("{$_POST["phone"]}",0,4);
//$result=mysqli_query($connection,"select customer_id from customer where customer_id='$customer_id' ");
//echo "customer_id is".$result;
$query = "SELECT * FROM CUSTOMER WHERE CUSTOMER_ID='$customer_id'";
$customer_idcip = $customer_id-1;
echo $customer_idcip;
if ( mysql_query($query)) {
echo "It seems that user is already registered";
} else {
$command = "INSERT INTO customer VALUES('{$customer_id}','{$_POST["name"]}','{$_POST["address"]}','{$_POST["email"]}',{$_POST["phone"]},0)";
$res =$connection->query($command);
if(!$res){
die("<br>Something went wrong with this:{$command}\n{$connection->error}");
}
echo "Welcome ".$_POST["name"]." \nCongratulations on successful Registration. Refill your Wallet here";
//$cutomerRetrival = mysql_query("select from customer where customer_id='$customer_id'");
echo "<br>Please note your customer ID :".$customer_id;
}
/*if($result)
{
echo "Query Fired";
$dupentry = mysqli_num_rows($result);
if($dupentry==1)
{
echo "You are already Registered";
exit;
}
}*/
?>
The error code (number) is 1022.
You can e.g. define a constant for that (so that somebody else in x months has a chance to understand the code) like
define('ER_DUP_KEY', 1022);
and then do something like
if(!$res){
if ( <error code>==ER_DUP_KEY ) {
handleDuplicateEntryError();
}
else {
die("<br>Something went wrong with this:{$command}\n{$connection->error}");
}
}
since I don't know how $res =$connection->query($command); works (and what $connection is I can't tell you exactly how to implement <error code>==ER_DUP_KEY, could be by using mysql_errno.
But it seems to be somehow intermingled with mysql_query($query), i.e. the old, deprecated mysql_* extension and some custom class. You might want to fix that first.... ;-)
see http://docs.php.net/manual/en/mysqlinfo.api.choosing.php
Your code doesn't check for existing record properly
Change
if (mysql_query($query)) {
echo "It seems that user is already registered";
}
to
$result = mysql_query($query);
if (mysql_num_rows($result)) {
echo "It seems that user is already registered";
}
Also, PLEASE do not use $_POST variables without escaping them first, use something like mysql_real_escape_string() to escape each variable passed from the user, otherwise your website will be hacked really fast with SQL Injection.
Make some update into your and then try to get error message 'customer already registered.'
$query = "SELECT * FROM CUSTOMER WHERE CUSTOMER_ID='$customer_id'";
$res= mysql_query($query);
$customer_count = mysql_num_rows($res);
$customer_idcip = $customer_id-1;
echo $customer_idcip;
if ( $customer_count > 0 ) {
echo "It seems that user is already registered";
} else {
...................................
Thank you all.
Actually I was using mysqli API in my connectDB.php file..
Hence I needed to call functions on mysqli.
Instead I was calling mysql. i.e I was creating a new connection, thus the query wasn't getting fired at all.
Changed to mysqli->query($result) that is object oriented style
and it worked fine....
Use Try Catch instead.
try{
$res =$connection->query($command);
}catch(Exception $e){
die( "Write your error appropriate message here");
}
I want to display an error message if the insert already exists.
I've made name unique in the database and if I enter the same value, it does not insert. Just as I wanted. Here is my code:
$query = "INSERT INTO register(name) VALUES('$foo')";
mysql_query($query) or die('An Error occurred' . mysql_error());
Now I want to echo a message to let the user know that the value he has entered is already present in the database and will not be inserted. Anyone?
I take it you are collecting $foo from a form?
what I would do is an sql query of the table register collecting the name field then when you collect the name entered in the form and its posted you can run an if condition against the name field you have already gathered using the sql statement and if there is a name = to the name they enter on the field they can receive a message and exit before the sql injection into the register table.
The simpliest way:
$res = mysql_query($query):
if ($res)
echo 'Insertion ok';
else
echo 'error: name already exists';
A better way: do first a SELECT query to see if name exists or not.
Note: you should think about moving from mysql_* to mysqli_* or PDO
Try this :
$query = "INSERT INTO register(name) VALUES('$name')";
$user = mysql_query($query):
if ($user)
echo 'User Register';
else
echo 'User Already Exist';
As per Melon's comment, you should use mysqli.
// Create your connection
$mysqli = new mysqli($host, $user, $pass, $dbname);
// Do your query
$mysqli->query("INSERT INTO register(name) VALUES('$foo')");
if($mysqli->affected_rows == 0) {
// Your chosen method of alerting the user goes here
}
\\this first part collects name information from your table.
$name="SELECT name FROM register";
$name_query = mysqli_query($db_conx, $name);
$numrows = mysqli_num_rows($name_query);
if($numrows < 1){
echo "cannot find user";
header ("location: index.php");
}
while ($row = mysqli_fetch_array($name_query, MYSQLI_ASSOC)){
$name = $row["name"];
}
\\ this part gets the name from your form
if (isset($_POST['class']) && ($_POST['class'] !='')){
$foo = $_POST['foo'];
\\this part checks to see if the 2 values are equal
if ($name == $foo){
echo "This name has already been used try again";
\\this part then adds the name if its not already in the database
}else{
$query = "INSERT INTO register(name) VALUES('$foo')";
mysql_query($query) or die('An Error occurred' . mysql_error());
}
}
//then all you need to do is create your form to post the foo or name so it can be collected and passed through the querys.
I'm try to get cookies on to a browser. It's giving me parameter 1 error and parameter 3. This code works elsewhere on my site but not here. Can someone help me?
if ((!isset($_POST["uname"])) || (!isset($_POST["password"])))
{
header ("Location: wddnt/clients/'. $tattoo_extern_acct . '/index.html");
exit;
}
$userpass = md5($_POST['password']);
#$db = mysqli_connect("$dbc_ser", "$dbc_usr", "$dbc_pwd", "$dbc_db");
$sql = "SELECT id, name, company, job_title, cell_num, office_num, office_email,
login_right, first_run, attempts, locked_out FROM login
WHERE email = '".$_POST["email"]."'
AND password = PASSWORD('$userpass')";
if (mysqli_connect_errno())
{
echo 'Cannot connect to database: ' . mysqli_connect_error();
}
else
{
$result = mysqli_query($db, $sql);
while ($info = mysqli_fetch_array($result))
{
$id = stripslashes($info['id_files']);
$u_acct = stripslashes($info['uname']);
$name = stripslashes($info['name']);
$job_title = stripslashes($info['job_title']);
$location = stripslashes($info['company']);
$cell_num = stripslashes($info['cell_num']);
$office_num = stripslashes($info['office_num']);
$office_email = stripslashes($info['office_email']);
$login_right = stripslashes($info['login_right']);
$first_run = stripslashes($info['first_run']);
$attempts = stripslashes($info['attempts']);
$locked_out = stripslashes($info['locked_out']);
$land_page = stripslashes($info['land_page']);
}
}
Try debugging some of the individual variables. What is in $sql, for example? Is it correct?
Is the "Cannot connect" clause executed, or does it get to the query and fail there? (I am not sure what "parameter 1 error and parameter 3" means).
Don't forget to escape the 'email' value by the way - this code has an SQL injection hole.
header ("Location: wddnt/clients/'. $tattoo_extern_acct . '/index.html");
This is not going to work the way you expect.
$sql = "SELECT id, name, company, job_title, cell_num, office_num, office_email,
login_right, first_run, attempts, locked_out FROM login
WHERE email = '".$_POST["email"]."'
You need to read up on SQL injection.
while ($info = mysqli_fetch_array($result))
You allow multiple accounts with the same email address / password?????
It's giving me parameter 1 error and parameter 3
Couldn't you post the actual error message you get?
$id = stripslashes($info['id_files']);
WTF? Smartquotes?
I'm not sure i understand your question but the last time i checked anyone who wants to use cookies uses the $_COOKIE global variable, either for setting them or accessing them. $_POST is made to get stuffs from forms, not cookies.
Please check the manual for more details about $_COOKIE
Regards