I have created a page whereby a mysql query checks if a patient already exists in the database, if the patient doesn't exist then the following code should add them to the database
我创建了一个页面,其中mysql查询检查数据库中是否已存在患者,如果患者不存在,则以下代码应将其添加到数据库中
<?php
include("includes/staffmenu.php");
include("includes/staffsession.php");
@require_once("includes/dbconfig.inc");
$firstname=$_POST["pfname"];
$middlename=$_POST["pmname"];
$surname=$_POST["psname"];
$nat=$_POST["pnat"];
$DOB=$_POST["pdob"];
$pemail=$_POST["pemail"];
$add1=$_POST["padd1"];
$add2=$_POST["padd2"];
$add3=$_POST["padd3"];
$postcode=$_POST["ppcode"];
$telephone=$_POST["pphone"];
$pcheck=mysql_query("
SELECT * FROM patient
WHERE
Patient_First_Name='$firstname' AND Patient_Middle_Name='$middlename' AND Patient_Surname='$surname' AND Patient_National_Insurance_No='$nat'
AND Patient_DOB='DOB' AND Patient_Address_Line_1='$add1' AND Patient_Address_Line_2='$add2' AND Patient_Address_Line_3='$add3' AND Patient_Postcode='$postcode'");
$myrow = mysql_fetch_row($pcheck);
if($myrow)
{ echo "This Patient already exists.<br><br> Please press the back button on your browser or the backspace button on your keyboard to go back";
}
else
{ mysql_query("INSERT INTO patient (Patient_First_Name,Patient_Middle_Name,Patient_Surname,Patient_National_Insurance_No,Patient_DOB,Patient_Email,Patient_Address_Line_1,Patient_Address_Line_2,Patient_Address_Line_3,Patient_Postcode,Patient_Phone_No )
VALUES('$firstname','$middlename','$surname','$nat','$DOB','$pemail','$add1','$add2','$add3','$postcode','$telephone')") or die (mysql_error());
echo "<br>";
echo "<p>Success! The Patient has been added to the database
</p>";
}
?>
The problem is that even if the patient already exists it keeps on adding a new one... Could someone please advise where I am going wrong?
问题是,即使患者已经存在,它仍然不断添加新的...有人可以告诉我哪里出错了吗?
2 个解决方案
#1
0
You are missing a $
when searching for DOB.
您在搜索DOB时缺少$。
Patient_DOB='$DOB'
Also, please note that your code is vulnerable to SQL injection attacks
另请注意,您的代码容易受到SQL注入攻击
#2
0
Try changing
Patient_DOB='DOB'
to
Patient_DOB='$DOB'
#1
0
You are missing a $
when searching for DOB.
您在搜索DOB时缺少$。
Patient_DOB='$DOB'
Also, please note that your code is vulnerable to SQL injection attacks
另请注意,您的代码容易受到SQL注入攻击
#2
0
Try changing
Patient_DOB='DOB'
to
Patient_DOB='$DOB'