invalid data should not be accepted

quote:





<?php

$db=mysql_connect("localhost","root");

mysql_select_db("mydatabase",$db);

if(isset($submit))
{ // Probably should be $_POST['submit']
if(isset($PIC))
{

//set up the query
$query ='SELECT * FROM staff WHERE PIC="' . $PIC . '"';

//run the query and get the number of affected rows
$result = mysql_query($query) or die('error making query: ' . mysql_error());
/*$affected_rows = mysql_num_rows($result); Useless var. */

//if there's exactly no result, the user is not validated.
if(mysql_num_rows($result) == 0)
{
print 'PIN number not valid';
}
}
if(isset($Station))
{

//set up the query
$query = 'DELETE FROM workstation WHERE station="' . $Station . '"';
mysql_query($query) or die('error making query: ' . mysql_error()); // Let's stick to one way of querying.
}
$query = 'INSERT INTO borrow(PIC, Station) VALUES ("' . $PIC . '", "' . $Station . '")';
mysql_query($query) or die('error making query: ' . mysql_error()); // This does not have to be assigned to a var since it returns true/false if anything

}
?>

<table boarder=0><tr><td align=right>
<font size=4 face=arial color=#330066>
<form method="post" action="<?php echo $PHP_SELF?>">
Borrower: <input type="text" name="PIC"><Br><Br>
Work Station:
<?
include ("stations.inc");
?>
<br><br>
<input type="submit" name="submit" value="add to database">
</form>
</td></tr></table>


here's the code for stations.inc

quote:

<?php
$db=mysql_connect("localhost","root");
mysql_select_db("mydatabase",$db);
$tablename = "workstation";
$query = "SELECT * FROM $tablename order by station ASC";
$result = mysql_query($query) or die(mysql_error());

echo "<select name=\"Station\" size=\"1\">";
while($row = mysql_fetch_array($result))
{
echo "<option>".$row['station'];
}
echo "</select>";

?>