Why is my data inserted twice in MySQL

Question

I am using PHP and MySQL database to do my school project. There is a problem that I encounter when I try to import data in my database. In the 1st table (murid table) it works perfectly, but in the second table (pendaftaran table), it seems to import twice. This is my PHP code. I wonder why my data is inserted twice in the pendaftaran table?

<?php
session_start();
$username = $_SESSION['username'];
$conn = mysqli_connect('localhost','root','','darksith');

if(!$conn)
{
    echo 'Not connected';   
}


if (isset($_POST['importbutton'])) {
    $namaFail = $_FILES['file']['tmp_name'];

    if ($_FILES['file']['size'] > 0) {
      $fail = fopen($namaFail, 'r');

      while (!feof($fail)) {
        $data = fgetcsv($fail, '0');

        $query = "SELECT * FROM murid WHERE No_Sekolah_Murid = '".$data[0]."'";
        $result = mysqli_query($conn, $query);

        if (empty($data[0] || $data[1] || $data[2] || $data[3])) {
          echo "<script>
              window.alert('Sila isikan semua medan dalam fail!');
              window.location = '';
              </script>";
          //exit();
        } else {

          if (mysqli_num_rows($result) === 0) {
            $query1 = "INSERT INTO murid(No_Sekolah_Murid, Nama_Murid, Kelas, Tarikh_Daftar) VALUES('".$data[0]."', '".$data[1]."', '".$data[2]."',NOW())";

            $query2 = "INSERT INTO pendaftaran(ID_Pendaftaran, ID_Pengguna, No_Sekolah_Murid, Kod_Pertubuhan) VALUES('', '$username', '".$data[0]."', '".$data[3]."')";

            mysqli_query($conn, $query1);
            var_dump(mysqli_query($conn, $query1));
            mysqli_query($conn, $query2);
            var_dump(mysqli_query($conn, $query2));


          // echo "<script>
              // window.alert('Rekod berjaya ditambahkan!');
              // window.location = 'import.html';
              // </script>";
          } else {
            "<script>
          window.alert('Rekod gagal ditambahkan!');
          window.location = 'import.html';
          </script>";
          }
        }

      } fclose($fail);
    } 

} else {   
    echo "<script>
      window.alert('Import gagal. Sila cuba sekali lagi!');
      window.location = 'import.html';
      </script>";
    exit();
}

?>

Answer 1

Change the below mentioned code:

mysqli_query($conn, $query2);
var_dump(mysqli_query($conn, $query2));

to

$sqlExecRes = mysqli_query($conn, $query2);
var_dump($sqlExecRes);

Answer 2

The query is being executed two times.

It's being executed on this line:

   mysqli_query($conn, $query2);

and then executed again, on this line:

   var_dump(mysqli_query($conn, $query2));

That call to the mysqli_query function executes the function again. That line says "execute mysqli_query function", and then output the return from the function.

In terms of the behavior we observe, those two lines are essentially equivalent to writing:

   $foo2 = mysqli_query($conn, $query2));
   $foo2 = mysqli_query($conn, $query2));
   var_dump($foo2);

---

Pattern used in the code in the question appears to be vulnerable to SQL Injection. Use prepared statements with bind placeholders.

Little Bobby Tables https://xkcd.com/327/

OWASP Project https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

It’s somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code.