My Code Doesn't Work

[donoskaro]

Hey Guys and I'm sorry for this title but I can't think of a way to briefly describe this problem.

 

I have a file cakked "loggedin.php" which sends the variable $votername to the file called "sendtodb.php"

 

This is "sendtodb.php":

 

 

<?php
$host="localhost"; 
$username="********"; 
$password="********"; 
$db_name="********";  
$tbl_name="sample_voter";


mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


if (isset($_GET['votername'])) {
$votername = $_GET['votername'];
}


mysql_query("INSERT INTO $tbl_name(votername,votecount) VALUES ($votername,1)
  ON DUPLICATE KEY UPDATE votecount=votecount+1");


mysql_query("UPDATE table SET votecount=votecount+1 WHERE votername=$votername");


mysql_close();
?>
 

And this is how it should work:

 

The variable gets sent to "sendtodb.php" which checks if a row for $votername exists and if it doesn't then it adds a row and sets votecount (Its set as an INT in the MySql table) as 1 and if a row for $votername exists then it adds another 1 to the current value in votecount.

 

I am still learning PHP so I am a little confused as to why nothing happens in my database.

 

Is there a fault in the code somewhere?

 

Thanks,

Oskar

[Jessica]

1. You're not checking for SQL errors. See my signature.

2. Don't put variables in strings when they don't need to be. ("$host").

3. DO put variables in strings when they DO need to be. (in your queries when you send a string, mysql needs to know it's a string)

4. Your code appears to put in 2 votes per person.

[AyKay47]

t is a good idea to get into the habit of always properly debugging code throughout the development process.

A good way of debugging SQL is to first store both the SQL statement and the actual call to the query in variables to be able to check their return values.

It is important to check the return value of mysql_query to make sure that the query did in fact work and did not return a boolean false value. We can do this as follows:

 

 

$sql = "INSERT INTO $tbl_name (votername, votecount) VALUES ('$votername', 1) ON DUPLICATE KEY UPDATE votecount = votecount + 1";
$result = mysql_query($sql);
if(!$result) //query failed, output error(s) and SQL statement
{
  echo "Error: " . mysql_error() . "<br>SQL: " . $sql;
}

 

This will output both any errors that were triggered and the SQL statement which will make it much easier to debug.

 

In this case the second query is not needed as the first query already takes care of incrementing the votecount column if there is already a row for a particular voter.

 

It is essential that you understand that arbitrary data from a user MUST be sanitized before it is used directly inside of an SQL statement. 

In this case, the mysql_real_escape_string function will do this for us:

 

 

if(isset($_GET['votername']))
{
  $votername = mysql_real_escape_string($_GET['votername']);
}

 

Since your query relies on $_GET['votername'] being set, I would include the query in the if condition that checks for it being set.

 

Also I must mention that the MYSQL extension is deprecated and should no longer be used. MYSQLi or PDO should be used instead, I recommend the latter.  

 

I believe that the actual error may be caused by the fact that you did not wrap $votername in single quotes inside of the SQL statement.

[donoskaro]

Thank you guys, everything works except that it doesn't add a vote if a voter increases.

[StefanNET]

Isn't mysql_* long time deprecated? Use PDO or mysqli instead.

[AyKay47]

Thank you guys, everything works except that it doesn't add a vote if a voter increases.

 

Post the updated code.