Following is my insert.php file to which my form post the data

<?php
$fname = $_POST["fname"];
$lname = $_POST["lname"];
$age = $_POST["age"];
$con = mysql_connect("localhost","giftme@1","mypass");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}mysql_select_db("giftme@1-airtime", $con);
$sql = "SELECT * FROM PERSON WHERE(first_name='$fname' AND last_name='$lname' AND age='$age')";
$result = MySQL_query($sql, $con);
$already_there = (MySQL_num_rows($result) > 0);

if ($already_there) {
$array = MySQL_fetch_array($result);
$id = $array['id'];
$entries = $array['entries'] + 1;
$sql = "UPDATE person SET entries=$entries WHERE id=$id";
}
else {
$sql = "INSERT INTO person VALUES('', '$fname', '$lname', 1)";
}
MySQL_query($sql, $con);
MySQL_close($con);

/*redirect - this must be the first output of the script
*not even an empty line can come before the initial <?php tag
*/
header('location: http://yahoo.com/');
?>

I dont know what's gone wrong with the program not running giving following error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /data/apache/users/kilu.de/giftme/www/form/insert.php on line 14

Warning: Cannot modify header information - headers already sent by (output started at /data/apache/users/kilu.de/giftme/www/form/insert.php:14) in /data/apache/users/kilu.de/giftme/www/form/insert.php on line 31
?>

Line 14: $already_there = (MySQL_num_rows($result) > 0);
Line 31: header('location: http://yahoo.com/');

Could any1 help :D

try this

<?php

$fname = $_POST["fname"];
$lname = $_POST["lname"];
$age = $_POST["age"];
$con = mysql_connect("localhost","giftme@1","mypass");
if (!$con) {
die('Could not connect: ' . mysql_error());
}

mysql_select_db("giftme@1-airtime", $con);
$sql = "SELECT * FROM PERSON WHERE first_name='$fname' AND last_name='$lname' AND age='$age'";
$result = mysql_query($sql, $con);


if (mysql_num_rows($result > 0) {
$array = mysql_fetch_array($result);
$id = $array['id'];
$entries = $array['entries'] + 1;
$sql = "UPDATE person SET entries=$entries WHERE id=$id";
}
else {
$sql = "INSERT INTO person VALUES('', '$fname', '$lname', 1)";
}
mysql_query($sql, $con);
mysql_close($con);

/*redirect - this must be the first output of the script
*not even an empty line can come before the initial <?php tag
*/
header('location: http://yahoo.com/');


?>

The above is open to sql injection, google it.. (mysql_real_escape_string())

Use "echo mysql_error()" to debug your code.

if (mysql_num_rows($result > 0) {
Still giving
Parse error: syntax error, unexpected '{' in /data/apache/users/kilu.de/giftme/www/lea/insert.php on line 16

if (mysql_num_rows($result > 0)) {

thnax MrCoder for ur reply. ya sure i'm pleased if you could educate me these things

sorry,
if (mysql_num_rows($result > 0) {

should like this
if (mysql_num_rows($result > 0)) {

SQL Injection 101..

Typecasting..
Always make sure values that you are placing in your SQL query such as $_GET or $_POST values are typecasted correctly.
This means if the $_GET value is always a number then typecast it as an (int).


mysql_query("SELECT * FROM users WHERE id = ".$_POST["id"]);

That is open to SQL injection since somebody could pass the following to your SQL query.

1; DROP TABLE users


This is how it should be done..

mysql_query("SELECT * FROM users WHERE id = ".(int)$_POST["id"]);


Now no matter what the users populates the $_POST value with it will always be a number and so it is no longer open to SQL injection.


mysql_real_escape_string()..

Take the following SQL query..

mysql_query("SELECT * FROM users WHERE username = '".$_POST["username"]."'");


Somebody could insert the following in to the $_POST["username"] value..

frank' OR 1=1--


This would turn your SQL query in to the following..

SELECT * FROM users WHERE username = 'frank' OR 1=1--'


Since "--" is like a PHP comment "//" it tells mysql to ignore the last ' in the line and turns the above in to a valid SQL query.

To avoid this use the following..

mysql_query("SELECT * FROM users WHERE username = '".mysql_real_escape_string($_POST["username"])."'");


Look up more info on mysql_real_escape_string() (http://uk2.php.net/mysql_real_escape_string)
Look up more info on typecasting (http://uk2.php.net/manual/en/language.types.type-juggling.php)

Thanks I shall try these thank u MR CODER n Tili