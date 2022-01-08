Trying to check if block_lot_no is already existing using prepared statements

PHP
#1 
$select = mysqli_query($db, "SELECT * FROM property WHERE block_lot_no = '".$_POST['block_lot_no']."' LIMIT 1" );
	if(mysqli_num_rows($select)) {
	    array_push($errors,"This Block / Lot No already exists");
	}

	$imgData 		 = file_get_contents($filename);
	$imageProperties = getimageSize($filename);
	$status 		 = 'unverified';
	$status1		 = 'unpaid';
		
	$sql ="INSERT INTO property (full_name,property_type, location, block_lot_no, imageType, imageData, status,status1,tax_payer_id) 
		VALUES (?,?,?,?,?,?,?,?,?)";
	
	$query = $db->prepare($sql);		
	$query->bind_param("ssssssssi",$_REQUEST['full_name'] ,$_REQUEST['property_type'], $_REQUEST['location'], $_REQUEST['block_lot_no'], $imageProperties['mime'], $imgData, $status,$status1, $_SESSION['id']); 		
	$query->execute();
	$current_id = $query->insert_id;

I’m trying to check if the block_lot_no is already existing in my database but my code can only display the error message and still create a new data in mydatabase.

#2

Maybe you should use if/else then?

There are so many problems with your code just a short list

  • never use SELECT *. Always select only the columns you need.
  • never use a post or get parameter directly in a sql query. I can call your script with postman setting a post variable block_lot_no = “1‘;DROP TABLE property;‘” And your database table with all its data is deleted.
  • if block_lot_no must be unique in the table, why don’t you use it as primary key? Then you do not need to check if it already exists but can use INSERT IGNORE or INSERT ON DUPLICATE KEY UPDATE
