Why is this adding to the database twice?

Jazzy_Girl

Hello, this is added to the database twice instead of only once and I can't spot why. Can anyone spot the problem? Please let me know, thank you very much.

<?php
if ($_POST['softwarename']==""){
?>
<form action="<?php $_SERVER['PHP_SELF'] ;?>" method='post'>
<input type='text' name='softwarename'  size=15>
<input type='submit' name='Submit Program' value='Add Program'></form>
<?php 
}
else {
$con = mysql_connect("server","dbname","pass");
if (!$con)
{ die('Could not connect: ' . mysql_error());
}mysql_select_db("dbname", $con);
$sname = $_POST['softwarename'] ; 
$sql="INSERT INTO addsoftware (softwarename)
VALUES ('" . $_POST['softwarename'] . "')";
if (!mysql_query($sql,$con)) {echo "Form not sent, please click the back button on your browser to try again";}
else {echo "Software program added successfully!!";}} 
?>

HalfaBee

No obvious reason for double inserting.
You should clean any user input before use, see mysql_real_escape_string() below in the neatened code.
You should try and keep coding neat, it makes errors easier to find.

http://www.phpcodingstandards.com/php/

<?php
if ($_POST['softwarename']==""){
?>
<form action="<?php $_SERVER['PHP_SELF'] ;?>" method='post'>
<input type='text' name='softwarename'  size=15>
<input type='submit' name='Submit Program' value='Add Program'></form>
<?php
}
else {
    $con = mysql_connect("server","dbname","pass");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("dbname", $con);
    $sname = mysql_real_escape_string ( $_POST['softwarename']  );
    $sql="INSERT INTO addsoftware (softwarename)
              VALUES ('" . $_POST['softwarename'] . "')";
    if (!mysql_query($sql,$con)) {
        echo "Form not sent, please click the back button on your browser to try again";
    }
    else {
        echo "Software program added successfully!!";
    }
}
?>

Jazzy_Girl

I heard about that before and read up on it but don't understand it. What is escape string supposed to do? Thanks.

HalfaBee

It escapes the quote's to avoid mysql injection which can destroy a DB with a craftily composed input strings.

NogDog

See "An example SQL Injection Attack" on the [man]mysql_real_escape_string/man page.

Jazzy_Girl

Thanks a lot!!!!

Piranha

A small correction to halfabee's code. Forgot to change to $sname in the $sql variable.

<?php
if ($_POST['softwarename']==""){
?>
<form action="<?php $_SERVER['PHP_SELF'] ;?>" method='post'>
<input type='text' name='softwarename'  size=15>
<input type='submit' name='Submit Program' value='Add Program'></form>
<?php
}
else {
    $con = mysql_connect("server","dbname","pass");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("dbname", $con);
    $sname = mysql_real_escape_string ( $_POST['softwarename']  );
    $sql="INSERT INTO addsoftware (softwarename)
              VALUES ('" . $sname . "')";
    if (!mysql_query($sql,$con)) {
        echo "Form not sent, please click the back button on your browser to try again";
    }
    else {
        echo "Software program added successfully!!";
    }
}
?>