PHP form validation check exising fields

Question

Currently, a user can SELECT their name from the menu if it exists in the database. If their name doesn't exist they can add their name to the form.

I want the form to CHECK if a name has been selected. If a name hasn't been selected, the user can INSERT their name into the form. Any ideas on how to do this? Thanks in advance.

Form 

<html>  
<head>  
<title>Form Input Data</title> 
</head>
<table>  
<body><table border="1">
<table bgcolor="lightblue"></body>

     <form method="post" action="insert_ac.php"> 
    <br>
<tr><td align="left"><strong>Nurse Information</strong></td></tr>
<tr>
<td><font color="red">Please select your name</font></td>
</tr>
<tr>
<td>Fullname</td>
<td><select name="valuelist">;
<option value="valuelist" name="nurse_name" value='<?php echo $nurse_name;  ?>'></option>
<?php
$value=$_POST ["valuelist"];
$con = mysql_connect("localhost","root","") or die('Could not connect:'.mysql_error());
mysql_select_db("a&e", $con) or die('Could not select database.');

$fetch_nurse_name = mysql_query("SELECT DISTINCT Fullname FROM nurse");

while($throw_nurse_name = mysql_fetch_array($fetch_nurse_name)) {
echo '<option   value=\"'.$throw_nurse_name[0].'">'.$throw_nurse_name[0].'</option>';
 }
 echo "</select>";

?>
</td>
</tr>
<tr>
<td>Please register name here:</td>
<tr>  

        <td>Fullname</td>

       <td><input type="text" name="nurse_forename" size="30"> </td>

     </tr>
 </tr>

PHP

  //get NURSE values from form
  $nurse_forename = $_POST['nurse_forename'];
//check ALL fields have values 
if($_POST['nurse_forename']==""){
die('ERROR: Please Register a Nurse');
 }
//insert 
$sql ="INSERT INTO Nurse(Fullname)
VALUES('$nurse_forename')";
mysql_query($sql,$con) or die('Error: ' . mysql_error());
echo "1 record added";
// close connection 
mysql_close($con);
?>

Answer 1

I don't quite see where you fetch the $nurse_name in the above HTML but I assume it's there..

So do the following to select the current nurses name:

while($throw_nurse_name = mysql_fetch_array($fetch_nurse_name)) {
echo '<option '. ( $throw_nurse_name[0] === $nurse_name ? 'selected="selected"' : '' ) .'  value=\"'.$throw_nurse_name[0].'">'.$throw_nurse_name[0].'</option>';
 }
 echo "</select>";

Oh and I'm sure the nurses would appriciate if you escaped database input both before storing it as well as escaped it before outputting it.

//insert 
$sql ="INSERT INTO Nurse(Fullname) VALUES('". mysql_real_escape_string( $nurse_forename ) ."')";

When outputting at least use htmlspecialchars():

<option value="valuelist" name="nurse_name" value='<?php echo htmlspecialchars( $nurse_name; )  ?>'></option>

It's also recommended to use the mysqli functions instead mysql as mysql is deprecated.

Answer 2

Updated some code (just an example):

<?php

$nurses = array() ;
$nurse_found = false ;
//Get all nurses from the database and store them in the array before the next step


//Print your select input
echo "<select>" ;
foreach ($nurses as $nurse){
  $selected = "" ;  
  if (isset($_POST['nurse_forename']) && $nurse['name']===$_POST['nurse_forename']){
    $nurse_found = true ;
    $selected = "selected" ;
  }
  echo "<option value='{$nurse['name']}' {$selected}>{$nurse['name']}</option>" ;

}
echo "</select"> ;

//NEXT STEP:
//A nurse is not found. If form is submitted, we can add her into database.

if (!$nurse_found && !empty($_POST['nurse_forename'])){
  $name = mysql_real_escape_string($_POST['nurse_forename']) ;
  $query = "INSERT INTO `nurses` VALUES ('{$name}') ; " ;
  $result = mysql_query($query, $mysql_link) ;
  if (mysql_affected_rows($mysql_link) == 1){
    echo "A new nurse has been added" ;
  }
}
?>

Some hints:

• Write a well-structured code and separate logic operations from graphic ones
• Stop using mysql_* extension for it is deprecated. Use mysqli or PDO instead.
• Sanitize and check ALL the input made by user. Otherwise your database is vulnerable to SQL injections and your website is vulnerable to XSS attacks.

Good luck!