Getting a value in PHP from MySQL and if there's no record - inserting it

Question

I've got the following code:

<?php
include 'payment/dbConfig.php';
$email = $_GET['email'];
$account = $_GET['account'];
if($email != ''){
    $sql = "SELECT command FROM bots WHERE email='".$email."' AND account='".$account."' limit 1";;
    $result = $db->query($sql);
    if ($result->num_rows > 0) {
        // output data of each row
        while($row = $result->fetch_assoc()) {
            $value = $row["command"];
        }
    }

    if($value != ''){
       echo $value;
       $sql = "UPDATE `bots` SET command='' WHERE email='".$email."' AND account='".$account."'";
       $db->query($sql);
    }else{
        $sql = "INSERT INTO `bots`(`email`, `account`) VALUES ('".$email."','".$account."')";
        $db->query($sql);
    }
}
?>

Which definitely looks like a mess, and this isn't working right.
Specifically, it endlessly adds the same 'email' and 'account' into the database, even though it should be done only when $value is not equal to emptiness.

What should I do?

Answer 1

You can do this in less code.

if ($result->num_rows > 0) {
    // Update
    $sql = "UPDATE `bots` SET command='' WHERE email='".$email."' AND account='".$account."'";
   $db->query($sql);
} else {
    // Insert
    $sql = "INSERT INTO `bots`(`email`, `account`) VALUES ('".$email."','".$account."')";
    $db->query($sql);
}

Note: You are passing the user inputs ($_GET) directly in the query, Sanitize all user inputs ($_GET, $_POST) and check for SQL Injection before execute any query.