Make the ID of a record in your students table autoincrement and use it as a primary key. If this is not an option, check for existence of the record first with SELECT COUNT(*).
A note on security: do not use $_GET array values directly in your insert query since you are asking for SQL injection. Validate, sanitize and escape them first.
broj1
Nearly a Posting Virtuoso
1,211 posts since Jan 2011
Reputation Points: 167
Solved Threads: 164
Skill Endorsements: 13
In that case first check whether the firstname/lastname pair already exist:
$fname = mysql_real-escape_str($_GET['fname']);
$lname = mysql_real-escape_str($_GET['lname']);
$check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";
If this query returns 1 (or more) rows the firstname/lastname pair is not unique.
broj1
Nearly a Posting Virtuoso
1,211 posts since Jan 2011
Reputation Points: 167
Solved Threads: 164
Skill Endorsements: 13
This is how I would do it:
<?php
if (@$_GET['action'] == "Save") {
if(
@$_GET[idnum]==null ||
@$_GET[fname]==null ||
@$_GET[lname]==null ||
@$_GET[midin]==null ||
@$_GET[gender]==null ||
@$_GET[bdate]==null ||
@$_GET[course]==null ||
@$_GET[year]==null ||
@$_GET[address]==null ||
@$_GET[cnum]==null
) {
echo "<font size=5><center>Fill-Up First the Provided Information<br>
<button type=button onclick=history.back();>Back</button></center></font>";
} else {
// first check whether a combination of first name / last name
// already exists in the students table
// very important: escape the values before sending the query to the database
$fname = mysql_real-escape_str($_GET['fname']);
$lname = mysql_real-escape_str($_GET['lname']);
$check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";
// send the query to the database
$result = mysql_query($check_qry);
// get the number of rows returned
$num_rows = mysql_num_rows($result);
// if number of rows equals 1 or more than the combination of
// first name and last name already exists in the table
if($num_rows >= 1) {
echo "The person $fname $lname already exists in the database!";
// if number of rows equals 0, do the insert query
} else {
// security first: escape all the values before inserting them in database
$idnum = mysql_real_escape_string($_GET['idnum']);
$midin = mysql_real_escape_string($_GET['midin']);
$gender = mysql_real_escape_string($_GET['gender']);
$bdate = mysql_real_escape_string($_GET['bdate']);
$course = mysql_real_escape_string($_GET['course']);
$year = mysql_real_escape_string($_GET['year']);
$addressm = mysql_real_escape_string($_GET['address']);
$cnum = mysql_real_escape_string($_GET['cnum']);
// prepare the insert query
$ins_qry = 'INSERT INTO students ';
$ins_qry .= '(idnum,fname,lname,midin,gender,';
$ins_qry .= 'bdate,course,year,address,cnum) ';
$ins_qry .= 'VALUES ';
$ins_qry .= "('$idnum','$fname','$lname','$midin','$gender',";
$ins_qry .= "'$bdate','$course','$year','$addressm','$cnum')";
// execute the query
@$result = mysql_query($ins_qry);
echo "<font size=5><center>Record Successfully Added<br>
<button type=button onclick=history.back();>Back</button>
</center></font>";
}
}
}
I put a SELECT COUNT(*) query before the INSERT query just to check whether the first name / last name pair already exists in the database. If it doesnt exist (number of rows = 0) then do the insert query. I got rid of the if(mysql_error()) block since it is not appropriate way to check for existing records. mysql_error can return true in other cases too (i.e the database server is down).
I have changed and formated your other code too. I made sure code is a bit closer to coding standards, I added some comments which helps everyone and most importantly I added minimum security measures: escaping the values before they go to the database.
broj1
Nearly a Posting Virtuoso
1,211 posts since Jan 2011
Reputation Points: 167
Solved Threads: 164
Skill Endorsements: 13
Question Answered as of 7 Months Ago by
broj1 
RSS Feed