使用PHP检查MySQL中是否存在值

Question

I've been looking around stackoverflow and wasn't able to ever find a way that'd actually work. I have a simple php application

//Database credentials
$servername = "localhost";
$username = "root";
$password = "password";
$database = "database";

// Create connection to database
$db = new mysqli($servername, $username, $password, $database);

// Check connection for errors
if ($db->connect_error) {
    die("<h1>Connection to database failed: " . $db->connect_error) . "</h1>";
};

$username = $json['statuses'][0]['user']['screen_name'];
$userid = $json['statuses'][0]['user']['id_str'];

$sql = "SELECT * FROM log WHERE userid='" . $userid . "' LIMIT 1";

if ($db->query($sql)->num_rows > 0) {
    echo "<h4>This user already exists</h4>";
} else {
    //Put the userid into the database
    $sql = "INSERT INTO log (userid) VALUES ('" . $userid . "')";

    if ($db->query($sql) === TRUE) {
        echo "<h4>Added " . $username . " to the database</h4>";
    } else {
        echo "Error: " . $sql . "<br>" . $db->error;
    }
}

Currently it seems to be hit or miss. It'll work sometimes, other times a record will exist, and it'll still insert the userid again creating duplicates.

Answer 1

Like said @tadman Your code is BAD. Data from variable $json is directly inserted into query - this is not good...

Simple test:

I set :

 $userid = "111111111a";

query:

 $sql = "SELECT * FROM log WHERE userid='111111111a' LIMIT 1";

return TRUE because, this user doesn't exists in db,

or

 $userID ='111111111\' OR \'1=1';

query:

 $sql = "SELECT * FROM log WHERE userid='111111111' OR '1=1' LIMIT 1";

return TRUE because 1=1 is always true.

If column userid is INT type, $userid value is converted to 111111111 and inserted into log table