It's hard to tell without seeing the rest of your code. If you are submitting your form without an element named "submitting" then you are not even processing your block of code.
Thou shalt always check wether your data exists before referencing it.
Thou shalt always validate your form data before using it.
Thou shalt always escape every bit of data before runing it through a SQL query.
Thou shalt always follow a redirect header with an exit call, to stop script execution.
Thou shalt use require_once or include_once instead of require or include.
Thou shalt use mysqli extension rather than mysql, where available.
Thou shalt use code=php blocks when posting PHP code to devnetwork.
Code: Select all
<?php
# Enable Error Reporting
ini_set('display_errors', true);
error_reporting(E_ALL);
# Check if this is a POST
if(isset($_SERVER['REQUEST_METHOD']) && strtolower($_SERVER['REQUEST_METHOD']) == "post")
{
# Includes
require_once('open_db.php');
# Fetch POST vars
$bossID = isset($_POST['bossID']) ? $_POST['bossID'] : '';
$candidateID = isset($_POST['candidateID']) ? $_POST['candidateID'] : '';
$FName = isset($_POST['FName']) ? $_POST['FName'] : '';
$LName = isset($_POST['LName']) ? $_POST['LName'] : '';
$category = isset($_POST['category']) ? $_POST['category'] : '';
$years_exp = isset($_POST['years_exp']) ? $_POST['years_exp'] : '';
$degree = isset($_POST['degree']) ? $_POST['degree'] : '';
# Validate POST vars here
// To Do: Add validation.
// If $bossID is supposed to be an integer, make sure that it is! Check your data types!
if(!is_int($bossID))
exit('$bossID is expected to be an integer. ' . gettype($bossID) . ' given.');
# Connect to database and query for duplicate entry, escaping all values to prevent SQL Injection.
$my_saves = mysql_query(sprintf("SELECT * FROM `my_saves` WHERE `bossID`='%s' AND `candidateID`='%s' LIMIT 1;",
mysql_real_escape_string($bossID),
mysql_real_escape_string($candidateID))) or die(mysql_error());
# If duplicate entry, bodyslam the request into oblivian (Comment with a little more swagger)
if(mysql_numrows($my_saves) > 0) {
header("Location: my_saves.php");
exit();
}
# Insert new record, escaping all values to prevent SQL Injection.
mysql_query(sprintf("INSERT INTO `my_saves` (`bossID`, `candidateID`, `FName`, `LName`, `category`, `years_exp`, `degree`) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s');",
mysql_real_escape_string($bossID),
mysql_real_escape_string($candidateID),
mysql_real_escape_string($FName),
mysql_real_escape_string($LName),
mysql_real_escape_string($category),
mysql_real_escape_string($years_exp),
mysql_real_escape_string($degree))) or die(mysql_error());
# Redirect
header("Location: my_saves.php") or exit("can't redirect!");
exit();
}
?>