How do stop form posting to mysql if database contains a specific ID?

Question

I have a form that I am using to post data to mysql.

Before submitting the form I want to check the database and see if there are any fields in the column 'customerid' that equal 'userid' and if so not to post the form.

Basically, I am trying to limit my users from posting more than once. Users will be able to login to my system and make ONE post. They will be able to delete and modify their post but are only limited to one post.

How would I do this??? Code so far:

<?php

include '../login/dbc.php';
page_protect();

$userid = $_SESSION['user_id'];

$sql="INSERT INTO content (customerid, weburl, title, description)
VALUES
('$_POST[userid]','$_POST[webaddress]','$_POST[pagetitle]','$_POST[pagedescription]')";

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

?>

Answer 1

Do a SELECT statement with the parameters you're wanting to check - if it returns any rows then don't do the insert.

Psuedocode -

$query = "SELECT customerid FROM content WHERE customerid = $_POST['userid']";

Answer 2

You should use two queries. The first, SELECT customerid FROM content WHERE customerid = @ID will return a row if there already exists a record with that ID. From there, an if statement will either tell your user that they already have a post or proceed with your existing code to insert the record.

Answer 3

1) You can use MySQL Procedures -- You can think of a procedure as a sort of MySQL function where you can write rules exacly like the ones you want and then just call them from your PHP files.

Answer 4

You can do like:

<?php

session_start(); // this is important if you are missing one

include '../login/dbc.php';
page_protect();

$userid = mysql_real_escape_string($_SESSION['user_id']);

$check_query = "select userid from content where userid = $userid";
$result = mysql_query($check_query) or die(mysql_error());

if (mysql_num_rows($result))
{
  exit('User is already their for a post !!');
  // or redirect using header function.
}

$sql="INSERT INTO content (customerid, weburl, title, description)
VALUES
('$_POST[userid]','$_POST[webaddress]','$_POST[pagetitle]','$_POST[pagedescription]')";

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

?>

Answer 5

You're very vulnerable to SQL injection:

$sql="INSERT INTO content (customerid, ...) VALUES ('$_POST[customerid]', ...)";
                                                     ^

This article explains SQL Injection and how to avoid the vulnerability in PHP.