shannel Posted March 15, 2014 Share Posted March 15, 2014 Hi all, wondering if you have any ideas about this. I am trying to do an insert function only if the username exists . I am able to do this successfully BUT i'm having a problem doing the insert only for the ID associated with the username. So it would check if "Susan Bingam" is in the staff_details table, then grabs the ID associated with Susan and adds her into the password table using the password she entered into the html form it should record this ID in the password table too . I would really appreciate your help. Thank you Below is the code I have so far. $url_id = mysql_real_escape_string($_GET['id']); $uname = $_POST['uname']; $check = "(SELECT * FROM staff_details WHERE user_Name = '$uname' && id = '$url_id')"; //echo ($check); $checkResult = mysql_query($check); //$checkRows = mysql_num_rows($checkResult); echo($uname); if (mysql_num_rows($checkResult) > 0)//isset($checkRows)))// && ($checkRows == 0)) { $password = $_POST['password']; $sql2 = "INSERT INTO `password` (ID,password,registration_date) VALUES ('$url_id','$password','') "; $query2 = mysql_query($sql2); print("SUCCESSFULL."); } else { print("Error , you need to be a member of staff to sign up."); } Quote Link to comment https://forums.phpfreaks.com/topic/287003-help/ Share on other sites More sharing options...
ginerjm Posted March 16, 2014 Share Posted March 16, 2014 First two lines are definitely a problem. You can't have a GET and a POST parm simultaneously. Quote Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472775 Share on other sites More sharing options...
mac_gyver Posted March 16, 2014 Share Posted March 16, 2014 (edited) besides the fact that you can have both post and get parameters at the same time, the logic in your code makes no sense. it will allow anyone who knows a valid user name to register a password for that user and anyone else who comes along can register additional password(s) for that user and add row(s) to the password table. this will either allow someone other than the actual user to register and impersonate that user or it could (if you don't have any restrictions in place) allow multiple rows in your password table for one username, resulting in a mess. what exactly are you trying to accomplish? Edited March 16, 2014 by mac_gyver Quote Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472796 Share on other sites More sharing options...
ginerjm Posted March 16, 2014 Share Posted March 16, 2014 besides the fact that you can have both post and get parameters at the same time, the logic It's true - you can learn something every day. Quote Link to comment https://forums.phpfreaks.com/topic/287003-help/#findComment-1472801 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.