invalid data should not be accepted

franches

I really need help with this code. The output is ok when the id is valid but when the id is not valid it did display the message but the data is still inserted into the database and also the station entered is deleted from the combo box list which should not happen.

hope you'll help me with this. this is what i'm assigned to do. i'm really new to php and esp. with programming but i really want to learn. i really don't know where in the code went wrong or maybe i still need some code for this.

i would really apprecialte it someone who could help me with the code. thanks.

here's the code for borrowingform.php

<?php

$db=mysql_connect("localhost","root");

mysql_select_db("mydatabase",$db);

if(isset($submit))
{ // Probably should be $_POST['submit']
if(isset($PIC))
{

//set up the query
$query ='SELECT * FROM staff WHERE PIC="' . $PIC . '"';

//run the query and get the number of affected rows
$result = mysql_query($query) or die('error making query: ' . mysql_error());
/$affected_rows = mysql_num_rows($result); Useless var. /

//if there's exactly no result, the user is not validated.
if(mysql_num_rows($result) == 0)
{
print 'PIN number not valid';
}
}
if(isset($Station))
{

//set up the query
$query = 'DELETE FROM workstation WHERE station="' . $Station . '"';
mysql_query($query) or die('error making query: ' . mysql_error()); // Let's stick to one way of querying.
}
$query = 'INSERT INTO borrow(PIC, Station) VALUES ("' . $PIC . '", "' . $Station . '")';
mysql_query($query) or die('error making query: ' . mysql_error()); // This does not have to be assigned to a var since it returns true/false if anything

}
?>

<table boarder=0><tr><td align=right>
<font size=4 face=arial color=#330066>
<form method="post" action="<?php echo $PHP_SELF?>">
Borrower: <input type="text" name="PIC"><Br><Br>
Work Station:
<?
include ("stations.inc");
?>
<br><br>
<input type="submit" name="submit" value="add to database">
</form>
</td></tr></table>

here's the code for stations.inc

<?php
$db=mysql_connect("localhost","root");
mysql_select_db("mydatabase",$db);
$tablename = "workstation";
$query = "SELECT * FROM $tablename";
$result = mysql_query($query) or die(mysql_error());

echo "<select name=\"Station\" size=\"1\">";
while($row = mysql_fetch_array($result))
{
echo "<option>".$row['station'];
}
echo "</select>";

?>

eoghain

First off, when using these forums it's nicer to use the php /php tags for your code it makes it easier for us to read and help out with.

Second off your problem is that you aren't doing anything to stop your script from running when you have an invalid id.

<?php 
   $db=mysql_connect("localhost","root"); 

   mysql_select_db("mydatabase",$db); 

   if(isset($submit)) 
   { // Probably should be $_POST['submit'] 
      if(isset($PIC)) 
      { 

     //set up the query 
     $query ='SELECT * FROM staff WHERE PIC="' . $PIC . '"'; 

     //run the query and get the number of affected rows 
     $result = mysql_query($query) 
        or die('error making query: ' .mysql_error()); 
     /*$affected_rows = mysql_num_rows($result); Useless var. */ 

     //if there's exactly no result, the user is not validated. 
     if(mysql_num_rows($result) == 0) 
     { 
        print 'PIN number not valid'; 

        /*
        Right here you need to do something to prevent the rest
        of your script from processing, or everything else will still
        continue to happen
        */
     } 
  } 
  if(isset($Station)) 
  { 

     //set up the query 
     $query = 'DELETE FROM workstation 
               WHERE station="' . $Station . '"'; 
     mysql_query($query) 
        or die('error making query: ' .mysql_error()); 
     // Let's stick to one way of querying. 
  } 
  $query = 'INSERT INTO borrow(PIC, Station) 
            VALUES ("' . $PIC . '", "' . $Station . '")'; 
  mysql_query($query) 
     or die('error making query: ' . mysql_error());
  // This does not have to be assigned to a var since it 
  //returns true/false if anything 
   } 
?> 

<table boarder=0><tr><td align=right> 
<font size=4 face=arial color=#330066> 
<form method="post" action="<?php echo $PHP_SELF?>"> 
Borrower: <input type="text" name="PIC"><Br><Br> 
Work Station: 
<? 
include ("stations.inc"); 
?> 
<br><br> 
<input type="submit" name="submit" value="add to database"> 
</form> 
</td></tr></table>

See doesn't that look nicer?

I've placed a comment into the section where you are going wrong. I'd recommend that you either nest the rest of your code in an else statement after your validation check, or set a valid flag that you test along side $Station.

Ohh and you definately should change all of the variables that can be submitted by your form to be $_POST[name], it's safer.

franches

thanks i've already done it. and thanks for the advice.