if (@$_GET['action'] == "Save") 
if(@$_GET[idnum]==null || @$_GET[fname]==null || @$_GET[lname]==null||@$_GET[midin]==null||@$_GET[gender]==null||@$_GET[bdate]==null||@$_GET[course]==null||@$_GET[year]==null||@$_GET[address]==null||@$_GET[cnum]==null)

echo "<font size=5><center>Fill-Up First the Provided Information<br><button type=button onclick=history.back();>Back</button></center></font>";

      @$result = mysql_query("insert into students      

VALUES ('$_GET[idnum]','$_GET[fname]','$_GET[lname]','$_GET[midin]','$_GET[gender]','$_GET[bdate]','$_GET[course]','$_GET[year]','$_GET[address]',



echo "<font size=5><center>ID Number: $_GET[idnum]. Already Exist(it must be unique)<br><button type=button onclick=history.back();>Back</button></center></font>";


echo "<font size=5><center>Record Successfully Added<br><button type=button onclick=history.back();>Back</button></center></font>";



Dude could someone please make it a whole constraint a unique entry that will added on my sql database? just the fname/firstname and lname/lastname only. thanks in advance guys for someone who help. :D

5 Years
Discussion Span
Last Post by opawix

Make the ID of a record in your students table autoincrement and use it as a primary key. If this is not an option, check for existence of the record first with SELECT COUNT(*).

A note on security: do not use $_GET array values directly in your insert query since you are asking for SQL injection. Validate, sanitize and escape them first.


i already set my ID A_I and set it primary. the issue here is duplication of firstname,lastname entry. $_GET will get the values input. my code is working. it just that it lack of constraint. by the way thank you dude. :D


In that case first check whether the firstname/lastname pair already exist:

$fname = mysql_real-escape_str($_GET['fname']);
$lname = mysql_real-escape_str($_GET['lname']);

$check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";

If this query returns 1 (or more) rows the firstname/lastname pair is not unique.


where do i integrate this code sir? i'm a total newbie. sorry sir.


This is how I would do it:

if (@$_GET['action'] == "Save") {
        @$_GET[idnum]==null   || 
        @$_GET[fname]==null   || 
        @$_GET[lname]==null   ||
        @$_GET[midin]==null   ||
        @$_GET[gender]==null  ||
        @$_GET[bdate]==null   ||
        @$_GET[course]==null  ||
        @$_GET[year]==null    ||
        @$_GET[address]==null ||
    ) {

        echo "<font size=5><center>Fill-Up First the Provided Information<br>
        <button type=button onclick=history.back();>Back</button></center></font>";

    } else {

        // first check whether a combination of first name / last name
        // already exists in the students table

        // very important: escape the values before sending the query to the database
        $fname = mysql_real-escape_str($_GET['fname']);
        $lname = mysql_real-escape_str($_GET['lname']);
        $check_qry = "SELECT COUNT(*) FROM students WHERE fname='$fname' AND lname='$lname'";

        // send the query to the database
        $result = mysql_query($check_qry);

        // get the number of rows returned
        $num_rows = mysql_num_rows($result);

        // if number of rows equals 1 or more than the combination of 
        // first name and last name already exists in the table
        if($num_rows >= 1) {

            echo "The person $fname $lname already exists in the database!";

        // if number of rows equals 0, do the insert query
        } else {

            // security first: escape all the values before inserting them in database
            $idnum    = mysql_real_escape_string($_GET['idnum']);
            $midin    = mysql_real_escape_string($_GET['midin']);
            $gender   = mysql_real_escape_string($_GET['gender']);
            $bdate    = mysql_real_escape_string($_GET['bdate']);
            $course   = mysql_real_escape_string($_GET['course']);
            $year     = mysql_real_escape_string($_GET['year']);
            $addressm = mysql_real_escape_string($_GET['address']);
            $cnum     = mysql_real_escape_string($_GET['cnum']);

            // prepare the insert query
            $ins_qry  = 'INSERT INTO students ';
            $ins_qry .= '(idnum,fname,lname,midin,gender,';
            $ins_qry .= 'bdate,course,year,address,cnum) ';
            $ins_qry .= 'VALUES ';
            $ins_qry .= "('$idnum','$fname','$lname','$midin','$gender',";
            $ins_qry .= "'$bdate','$course','$year','$addressm','$cnum')";

            // execute the query
            @$result = mysql_query($ins_qry);

            echo "<font size=5><center>Record Successfully Added<br>
                <button type=button onclick=history.back();>Back</button>

I put a SELECT COUNT(*) query before the INSERT query just to check whether the first name / last name pair already exists in the database. If it doesnt exist (number of rows = 0) then do the insert query. I got rid of the if(mysql_error()) block since it is not appropriate way to check for existing records. mysql_error can return true in other cases too (i.e the database server is down).

I have changed and formated your other code too. I made sure code is a bit closer to coding standards, I added some comments which helps everyone and most importantly I added minimum security measures: escaping the values before they go to the database.

Edited by broj1

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.