Update mySQL entry instead of create new entry

Hello, some friends and I are modding for a game, the game sends data to a url which triggers a php script.

My php coder is having a problem with accounts duplicating when a player joins, instead of finding the account and updating it.

As you can see pretty simple code. On the game side when a player leaves it sends $uid "the players permant game ID, and $gold "the amount of gold the player is carrying to the database to be stored.

How do we get the code to make sure the $uid already exists and updates it instead of it creating a whole new row in the database?

[code]<?php
include(‘connect.php’);
if (!$connect)
{
die('Could not connect: ’ . mysql_error());
}
$rows = mysql_query(“SELECT * FROM player_data”, $connect);
$num_row = mysql_num_rows($rows);
$id_row = $num_row + 1;

$order=“INSERT INTO player_data (id,game_id,gold) VALUES (’$id_row’,’$_GET[uid]’,’$_GET[gold]’)”;

if (!mysql_query($order,$connect))
{
die('Error: ’ . mysql_error());
}
mysql_close($connect);
?>[/code]

2 ways, first way, run a query to see if the player exists and if they do, run an update query, if not, run an insert query. 2nd way would be to use something like:

INSERT INTO

(field1, field2, field3, …) VALUES (‘value1’, ‘value2’,‘value3’, …) ON DUPLICATE KEY UPDATE field1=‘value1’, field2=‘value2’, field3=‘value3’, …

[php]
$rows = mysql_query(“SELECT * FROM player_data WHERE id = ‘$_GET[uid]’”, $connect);
$num_row = mysql_num_rows($rows);
if(count($num_row) > 0){
// Do update
}else{
// Do insert
}
[/php]

Or the 2nd way mentioned by richei

Please change to queries not vulnerable to sql injection, these are major security issues.

we are going to use htaccess file for apache2 when the scripts are finished. Also the url / domain will be separate from our main website.

on the duplicate thread for this top, someone said this. Would it be correct?

Pretty much what we need is to check if the uid already exists, and if it does than update the gold to the account with that uid. Thanks guys.

that was the second way i suggested. just need to make sure u have ur db table setip to support it.

It’s better to use parameterized queries than to try to escape everything. What are you doing in the htaccess files to prevent sql injection? Also the domain doesn’t matter.

well the url and scripts for the game mod are hidden in a compiled python file, so only devs will know exactly how to connect, and what values to inject. Like right now I’m using this in my browser to test the php and mysql database http://scripts.mangled.com/uploadgold.php?uid=12345678&gold=80000

It stores the values uid and gold into the database.

I tried

[php]$order=“INSERT INTO player_data (id,game_id,gold) VALUES (’$id_row’,’$_GET[uid]’,’$_GET[gold]’) on duplicate key update game_id=values(’$_GET[uid]’), gold=values(’$_GET[gold]’)”;[/php]

Did not work.

What about users sniffing traffic? Which they surely will. Either way obfuscation is no reason to not make it secure. Parameterized queries doesnt even take any extra effort

I’m not really worried about security, i’m just worried about getting it to not create a new entry every time I trigger the script.

I’m new to coding so I’m using this project to learn.

even more of a reason to do it right. otherwise you are learning the wrong thing. learning pdo and parameterized queries from the beginning is the way to go.

Well I would just like to know how to stop it from creating duplicate entries. I appreciate you guys trying to steer me in the right direction as to the proper way to do things but I would like to keep this on topic.

You have already been given several answers