How can I make this script to where if it finds that the fname and lname do not exist that it will pop up a message saying that they never signed in.
<?php
session_start();
include_once("connect.php");
date_default_timezone_set("America/Winnipeg");
$date = ("m-d-Y");
$timeout = date("g:i:s a");
if ("SELECT EXISTS(
SELECT *
FROM signin_out
WHERE
lname='" . $_POST['lastname'] . "'
AND fname='" . $_POST['firstname'] . "'
AND date='" . $date . "')"
) {
mysql_query("
UPDATE signin_out
SET timeout='" . $timeout . "'
WHERE
lname='" . $_POST['lastname'] . "'
AND fname='" . $_POST['firstname'] . "'
AND timeout=''
");
header("Location: ../index.html");
} else {
echo "<script type='text/javascript>'";
echo "alert('<p>Oops! You never signed in!</p><br><p>Please contact a
Librarian</p>');'";
echo "</script>'";
header('Location: ../index.php?notsignedin');
}
?>
This is an intranet site for a highschool.
$sql = "SELECT COUNT(*) signedin FROM signin_out
WHERE lname = '" . mysql_real_escape_string($_POST['lastname']) . "'
AND fname = '" . mysql_real_escape_string($_POST['lastname']) . "'
AND date = '$date'";
$result mysql_query($sql) or die(myqsl_error());
$row = mysql_fetch_assoc($result);
if ($row['signedin'])) {
// update table
} else {
// Report not signed in
}
However, you really should switch to mysqli or PDO so you can use parametrized queries instead of concatenating strings, so you don't have to worry as much about escaping them.
This is only one part of the answer, @Barmar gave u how to handle the query itself.
Change
echo "<script type='text/javascript>'";
echo "alert('<p>Oops! You never signed in!</p><br><p>Please contact a
Librarian</p>');'";
echo "</script>'";
header('Location: ../index.php?notsignedin');
To
echo "<script type='text/javascript>'";
echo "alert('Oops!
You never signed in!
Please contact a
Librarian');'";
echo "window.location.href='../index.php?notsignedin';";
echo "</script>'";
The reason: Strings which echo go into the web server buffer before being sent as a package to the browser.
This may cause your code to reach and do the header command, and then either you will redirect immediatly, or get an error message on the lines of '...you can not send headers after output...'
And seriously consider everybody's suggestion about PDO/Mysqli and using a more centralized/abstracted way to use the DB.
Check how many rows are returned by the query,if is more than 1 then fname and lname exists in database,you can also use count(*) but i won't to change your query :
$result = mysql_query("SELECT * FROM signin_out WHERE lname='".$_POST['lastname']."' AND fname='".$_POST['firstname']."' AND date='".$date);
$num_rows = mysql_num_rows($result);//count number of rows returned by query
if($num_rows >=1) {
//Update here
}
else {
//alert and redirect here
}
I understand that your site is for intranet use only , but i suggest to use PDO or Mysqli