Code Explained - PHP

Let's take a closer look at the code. The first thing that the code does is check if the project id has been sent over. If so, it checks to see if the project id is actually a number. If it is not, then the user is redirected to the login page:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

If the project id passes the number check, it is cleaned and then used in the query:

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

}

The first query is run to get the name of the project that matches the id that was received. If a match is found, the result is stored in the $title variable:

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error();

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

After checking to see if the form has been submitted, an insert query is executed and the staff details are inserted into the database. The user is then redirected to the main page of the application:

if(isset($_POST['submit'])){

//check vars

$sname=mysql_escape_string($_POST['s_name']);

$p_pid=mysql_escape_string($_POST['p_pid']);

//insert

$insert = "INSERT INTO staff SET name = '".$sname."',";

$insert .= "p_id= '".$p_pid."'";

if(!mysql_query($insert)){

echo mysql_error();

}else{

header("location:main.php");

}

}

?>