Insert row into MQSQL Database only under certain conditions

Before reading, please note that I am very new to both PHP and MYSQL. I have created a table in my MYSQL database. I would now like to 'spit out' this table onto a page through PHP. This part I seem to be okay with. After outputting the tables data into an HTML table, I would like to output an HTML form onto my page. So, I now have a table followed by a form. This form will contain a few text boxes that, when submitted, will post the data used to insert a new row into the preexisting table noted above.

All of the above code is currently in a PHP file named 'display.php'.

My Issue:

If the form described开发者_开发问答 above is posting back to my 'display.php' file, after inserting a new row and displaying the new table information, what is stopping my code from inserting another new row full of NULL data? I'm sure I did a less than decent job of explaining this scenario so I will post some code.

HTML / PHP

<html>
<head> 
    <title>Html and PHP</title>
</head>

<body>

<!-- Form -->
<form action="insertdata.php" method="post">
Username: <input type="text" name="username" >
Hardware ID: <input type="text" name="hardwareid" >
<input type="submit" >
</form>

<?php

// Connect to MYSQL
$con = mysql_connect("localhost","blah","private");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Select database
mysql_select_db("dbname", $con);

// Insert posted data into table
$sql="INSERT INTO tablename(
Username,
HardwareID)

VALUES
('$_POST[username]','$_POST[hardwareid]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record successfully added...";

mysql_close($con)
?>

</body>
</html>

Again, I am a complete beginner - and I understand this. I want to know, must the different parts of the above code be placed into multiple files? I don't want to have to go to a new address, which is why this is causing me so much confusion I'd say.

try some thing like this,

connection.php file

    // Connect to MYSQL
$con = mysql_connect("localhost","blah","private");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Select database
mysql_select_db("dbname", $con);

display.php file

    <html>
<head> 
    <title>Html and PHP</title>
</head>

<body>

<!-- Form -->
<form action="process.php" method="post">
Username: <input type="text" name="username" >
Hardware ID: <input type="text" name="hardwareid" >
<input type="submit" >
</form>

</body>
</html>

process.php file

    include_once("ur_file_dir/connection.php");

    if ((isset($_POST['username']) && isset($_POST['hardwareid'])) {

      $sql="INSERT INTO tablename(
         Username,
         HardwareID)

         VALUES
            ($_POST['username'],$_POST['hardwareid'])";
      if (!mysql_query($sql,$con))
      {
          die('Error: ' . mysql_error());
      }
      echo "1 record successfully added...";

      mysql_close($con)

}

You should validate your input, ie:

if (!empty($_POST['username'] && !empty($_POST['hardwareid']) {
    // do your insert here
}

Also, you should be wary of allowing user input to be inserted directly into your query, as this leaves your open to SQL injections. A better way to do this is to use PDO and prepared statements:

http://php.net/manual/en/pdo.prepared-statements.php