Home/ Questions/Q 813813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T01:25:14+00:00

Before posting my form I am checking the database to see if there are

  • 0

Before posting my form I am checking the database to see if there are any previous posts from the user. If there are previous posts then the script will kick back a message saying you have already posted.

The problem is that what I am trying to achieve isn’t working it all goes wrong after my else statement. It is also probable that there is an sql injection vulnerability too. Can you help??4

<?php

include '../login/dbc.php';
page_protect();

$customerid = $_SESSION['user_id'];

$checkid = "SELECT customerid FROM content WHERE customerid = $customerid";

if ($checkid = $customerid) {echo 'You cannot post any more entries, you have already created one';}

else

$sql="INSERT INTO content (customerid, weburl, title, description) VALUES
('$_POST[customerid]','$_POST[webaddress]','$_POST[pagetitle]','$_POST[pagedescription]')";

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    $_SESSION will clear when the browser is closed out. Therefore, I’d suggest using Cookies for a definite way.

    I’ve updated your code as follows:

    include '../login/dbc.php';
page_protect();

$customerid = $_COOKIE['user_id'];

$checkid = "SELECT customerid FROM content WHERE customerid = $customerid";

if ($checkid = $customerid) {echo 'You cannot post any more entries, you have already created one';}else{

$sql="INSERT INTO content (customerid, weburl, title, description) VALUES
('$_POST[customerid]','$_POST[webaddress]','$_POST[pagetitle]','$_POST[pagedescription]')";

if (!mysql_query($sql))
  die('Error: ' . mysql_error());
else
  echo "1 record added";
}

    If you are worried about injection add this tidbit prior to your insert query:

    foreach($_POST as $key=>$value){
  $_POST[$key] = addslashes($value);
}
    • 0