code check please

[wckf]

what is wrong with this code !!!
if(isset($_POST["name"])&&isset($_POST["email"])&&isset($_POST["pnumber"])&&($_POST["address"])){

$name = $_POST["name"];
$email = $_POST["email"];
$pnumber= $_POST["pnumber"];
$address = $_POST["address"];

if (!empty($name)&& !empty($email)&& !empty($pnumber)&& !empty($address)) {
$query= "SELECT 'Name' FROM 'customer' WHERE 'Name'='$name'";
$query_run = mysql_query($query);

if (mysql_num_rows($query_run)==1){
echo $name.'already exists.';
} else {
$query = "INSERT INTO customer values()" ;
}
}

else{
echo " all fields are required";

}

}

[Strider64]

First you need to do something like the following....

Code: Select all

<?php
   if (isset($_POST['action']))
   {
      if ($_POST['action'] == 'login')
      {
         echo $username = $_POST['username'] . "<br />";   // I just added the . "<br />" for better clarity.
      }
      
   }





?>






<form class="login-form" action="" method="post">
                                     
       <input type="hidden" name="action" value="login" >
     
       <label class="input-style" for="username">User Name</label>
       <input type="text" onfocus="if (this.value == 'User Name') this.value = '';" value="User Name" name="username" id="username" >
       <br>
       <label class="input-style" for="password">Password</label>
       <input type="password" name="password" id="password" value="" >
       <br>                 
     
       <input type="submit" id="login" value="Login" >
       <a class="link-style" href="captcha.php" target="_self">Register?</a>
 </form>

I would suggest get where you can get user input and then worry about database, when you do I the database portion I would suggest using mysqli or PDO (Most People recommend PDO).

[wckf]

Thnk your for your help
actually my problem now is with this line of code :

$query= "SELECT 'Name' FROM 'customer' WHERE 'Name'='$name'";
$query_run = mysql_query($query);

if (mysql_num_rows($query_run)==1){
echo $name.'already exists.';
}


thanks:)

[seandisanti]

1) The column name should not be quoted. Single quotes in sql indicate a literal string, column names are basically constants, and as such do not require quotes.
2) Variable names within single quotes are not substituted with their value, they're left as they appear, so in this case you're literally looking for someone named '$name' which is not super likely to hit a match. the line should read:

Code: Select all


$query="SELECT Name FROM customer WHERE Name='" . $name . "'"; 
 

3) mysql_ functions are deprecated and will probably not be around much longer. please look into PDO, or at the very least mysqli. both are faster and more secure, but PDO is the way to go for your database interactions.
http://jream.com/learning/videos/php-oo ... o-examples there's a 12 minute crash course in PDO that will get you up and running.

4) ESCAPE YOUR STRINGS if you use mysql_ or mysqli_ functions, you should be using _real_escape_string() for your string values, or with pdo you can do PDO->quote() to protect yourself from sql injection.