How to limit the number of rows entered into mysql database

Question

I have a form that lets users store jobs they have worked on ( credits ) into a mysql database. These credits are then echoed out on a page for other users to see. How can I limit the number of credits that each user can submit to the database to 10? Is this something I could do with javascript?

Here is my form:

 <form action="process.php" form="credits" method="GET"
              enctype="multipart/form-data" name="my_form" id="">

                            <input name="production" type="text" id="production" placeholder="Production" value = "" required>

                            <input name="channel" type="text" id="channel" placeholder="Channel" value = "">

                            <input name="company" type="text" placeholder="Production Company" value = "">

                            <input type="hidden" name="username" value="<?php echo $username; ?>">


  <button name="submit" id ="submit">
                          Submit
                        </button>

</form>

And this is how it is stored in the database.

<?php
//Database Connection
include_once "$conx.php";

if( isset($_GET['submit'] )){
$production = $_GET['production'];
$channel = $_GET['channel'];
$company = $_GET['company'];
$username = $_GET['username'];

//updating database
$stmt = $db_conx->prepare('INSERT INTO credits SET production =?, channel =?, company =?, username =?');

$stmt->bind_param('ssss',$production,$channel,$company,$username);
$stmt->execute();

mysqli_close($conx);

//Redirect back
    header("location:credits.php");

}
?>

Answer 1

The best way to do something like this is to do both client-side and server-side validation, meaning that you should be checking that they are able to submit another credit with javascript on the front end, and then double checking on the back end with PHP.

But from the looks of it, you are doing a full page refresh each time the user enters in a new credit. If this is the case, you don't even need the javascript. You could do something like this for your form:

<?php
if ($credits >= 10) {
  echo 'You have reached the maximum amount of credits allowed.';
}
else {
  echo [FORM GOES HERE];
}
?>

Some other observations: The way you've written your code seems like it might be easy to hack it. For example, if I'm user 'joe' I could easily submit something for user 'innocent_jane' simply by editing the hidden fields on the page before submitting. A better approach to using the hidden field might be to store the username in a session variable after the user logs in.

Answer 2

You'd probably want to do something like this:

$check = $db_conx->query("SELECT COUNT(*) FROM credits WHERE username=?");
$check->bind_param("s", $username);
$check->execute();
if ($check->fetch_row()[0] >= 10) {
    // show the user an error page
} else {
    // proceed with the insert query
}

That's hastily-written pseudocode, so you'll probably have to tweak it to make it actually work, but hopefully that conveys the general method you'd want to use.

Answer 3

You could check the database for their username first:

if($result = $db_conx->query("SELECT * FROM credits WHERE username == ".$username))
{
    if(($result->num_rows) < 10){ // Less than 10 credits for that username
    // do the database updating
    }
    $result->close();
} else { // It didn't find any entries for that username
// do the database updating