shannel Posted March 15, 2014 Share Posted March 15, 2014 Hi all, wondering if you have any ideas about this. I am trying to do an insert function only if the username exists . I am able to do this successfully BUT i'm having a problem doing the insert only for the ID associated with the username. So it would check if "Susan Bingam" is in the staff_details table, then grabs the ID associated with Susan and adds her into the password table using the password she entered into the html form it should record this ID in the password table too . I would really appreciate your help. Thank you Below is the code I have so far. $url_id = mysql_real_escape_string($_GET['id']); $uname = $_POST['uname']; $check = "(SELECT * FROM staff_details WHERE user_Name = '$uname' && id = '$url_id')"; //echo ($check); $checkResult = mysql_query($check); //$checkRows = mysql_num_rows($checkResult); echo($uname); if (mysql_num_rows($checkResult) > 0)//isset($checkRows)))// && ($checkRows == 0)) { $password = $_POST['password']; $sql2 = "INSERT INTO `password` (ID,password,registration_date) VALUES ('$url_id','$password','') "; $query2 = mysql_query($sql2); print("SUCCESSFULL."); } else { print("Error , you need to be a member of staff to sign up."); } Link to comment https://forums.phpfreaks.com/topic/287003-help/ Share on other sites More sharing options...
ginerjm Posted March 16, 2014 Share Posted March 16, 2014 First two lines are definitely a problem. You can't have a GET and a POST parm simultaneously. Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472775 Share on other sites More sharing options...
mac_gyver Posted March 16, 2014 Share Posted March 16, 2014 besides the fact that you can have both post and get parameters at the same time, the logic in your code makes no sense. it will allow anyone who knows a valid user name to register a password for that user and anyone else who comes along can register additional password(s) for that user and add row(s) to the password table. this will either allow someone other than the actual user to register and impersonate that user or it could (if you don't have any restrictions in place) allow multiple rows in your password table for one username, resulting in a mess. what exactly are you trying to accomplish? Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472796 Share on other sites More sharing options...
ginerjm Posted March 16, 2014 Share Posted March 16, 2014 besides the fact that you can have both post and get parameters at the same time, the logic It's true - you can learn something every day. Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472801 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.