I am quite new to php and I am just trying my hands at a script, it is not aptly written however as it is vulnerable to SQL injection. I intend to improve on that however that is only possible as I advance in PHP. I am facing a problem currently when I try to POST variables from Java (Android) and use them to query my database. However the script is executing twice, I find duplicate records in my database. Following is the script:
<?php
require 'DbConnect.php';
$Make = $_POST["Make"];
$Model = $_POST["Model"];
$Version= $_POST["Version"];
$FuelType= $_POST["FuelType"];
$Kilo = $_POST["Kilo"];
$Price= $_POST["Price"];
$Reg= $_POST["Reg"];
$Color= $_POST["Color"];
$Mdate= $_POST["Mdate"];
$Desc= $_POST["Desc"];
$Loc= $_POST["Loc"];
$Owners = $_POST["Owners"];
$Negot= $_POST["Negot"];
$Trans= $_POST["Trans"];
$AC= $_POST["AC"];
$car_lockk= $_POST["Lockk"];
$Sunroof= $_POST["Sunroof"];
$Window= $_POST["Window"];
$Seat= $_POST["Seats"];
$Stearing= $_POST["Stearing"];
$Music= $_POST["Player"];
$Wheels= $_POST["Wheel"];
$Sound= $_POST["Sound"];
$Drive= $_POST["Drive"];
$ID = $_POST["Seller_ID"];
$query2 = "INSERT INTO used_cars (make, model, version, color, \
manufacturing_date, km_driven, fuel_type, expected_price, \
negotiable, registration_place, no_of_owners, description, \
current_location, transmission, ac, sunroof, window, seats, \
stearing, player, wheels, sound_system, drive, car_lockk, seller_id) \
VALUES ('$Make', '$Model', '$Version', '$Color', '$Mdate', '$Kilo', \
'$FuelType', '$Price', '$Negot', '$Reg', '$Owners', '$Desc', '$Loc', \
'$Trans', '$AC', '$Sunroof', '$Window', '$Seat', '$Stearing', \
'$Music', '$Wheels', '$Sound', '$Drive', '$car_lockk', '$ID')";
if(mysql_query($query2)){
echo 'success';
//echo $Img
}else{
echo 'Fail';
}
?>
There is no reason for the code to be executed twice unless you are refreshing the page, or something in your connect script is causing it to happen.
My recommendation is to slow down, your script is only a few lines yet with your original formatting it's barely readable. You have equals signs in different positions, useless white space and erratic spacing which I've attempted to edit out for the SO audience.
Try to do things right the first time. Forego the mysql syntax, look up mysqli (documentation & examples) and implement your code using the object oriented interface -- it's much simpler.
Your fixed code will look something like:
<?php
// Create DB connection object
$mysqli = new mysqli("localhost","username","password","database");
// Get our POST variables
$make = $_POST["Make"];
... put them here ...
$id = $_POST["Seller_ID"];
// Create our base query and bind parameters
$query = $mysqli->prepare("INSERT INTO used_cars (make, ..., id) VALUES (?, ..., ?)");
$query->bind_param('s...i', $make, ..., $id);
if($query->execute()) { // Will return true on success
echo "Success";
} else {
echo "Fail";
}
?>
The first argument to bind_param is a list of data types: s = string, i = int etc. You will need to list these correctly and in the right order. Refer to the documentation if you need help. Binding parameters completely eliminates the possibility of an SQL injection attack and is the preferred way to use MySQL when passing user inputed values.
On an unrelated note, typically in PHP we start variable names with a lowercase letter. Uppercase letters are reserved for class names.
in if condition the query executed well then page will redirect to another one.so we, avoid the second time insertion of data.