PHP Register Script - check user exists not working

Question

I've got a problem with my PHP Registration Script that firstly checks, if the user exists.

It always outputs "false".

<?php
$username = $_GET['username'];
$passwort = $_GET['passwort'];

$database = @mysql_connect("***********", "********", "******") or die("Can't connect to the server. Error: ".mysql_error());
//$username = mysql_real_escape_string($username);
$passwort = hash("sha256", $passwort);

$numrows = mysql_query("SELECT * FROM *******.mikgames WHERE username='".$username."' LIMIT 1"); 
$checkuserexists = mysql_num_rows($numrows);

if($checkuserexists==0) {
$abfrage = mysql_query("INSERT INTO *******.mikgames (username,passwort) VALUES ('$username', '$passwort')");   
echo'true';
}
else {
echo'false';
}        
?>

Edit: Now I'am using MySQLi and I've changed the code into this:

<?php
$username = $_GET['username'];
$passwort = $_GET['passwort'];

$con = mysqli_connect('************','******','******') or     die(mysqli_error());
mysqli_select_db($con, "*******") or die("cannot select DB");

$passwort = hash("sha256", $passwort);

$query = mysqli_query($con,"SELECT * FROM *******.mikgames WHERE     username='".$username."'");
$result = mysqli_num_rows($query);

if($result==0) {
$abfrage = mysqli_query($con, "INSERT INTO ********.mikgames (username,passwort) VALUES ('$username', '$passwort')");   
$result = mysqli_query($con,$abfrage);
echo 'true';
}
else {
echo 'false';
}        
?>

And it works.

please use `mysqli` instead of `mysql` - because `mysql` is deprecated! — Edgars Aivars, Jul 10 '16 at 11:48
script looks fine to me. You have to debug more. First echo your username checking query and run in your phpmyadmin and see what result you are getting there. — Shrikant Mavlankar, Jul 10 '16 at 11:48
remove your error supression `@` mark. Use MySQLi . Clean your user inputs to prevent SQL injection and DB compromise. [Turn on PHP error logging](http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display). — Martin, Jul 10 '16 at 12:45

score 1 · Answer 1 · answered Jul 10 '16 at 13:15

You could go one step better and take an OOP approach using the PDO driver; PDO invokes security by allowing secure parameter binding and uses the SQL preferred functions.

Inside your pdo_driver.php file:

namespace ProjectName\App\Drivers;

if(!defined('IN_PROJECTNAME'))
{
    die('No Script Kiddies Please...');
}

interface EntityContainer
{
    public function query($statement, array $values = array());
}

class Entity extends \PDO implements EntityContainer
{
    public function __construct(
        $dsn = 'mysql:host=XXXX;dbname=XXXX', $user = 'XXXX', $pass = 'XXXX'
    ) {
        try {
            parent::__construct($dsn,$user,$pass);
        } catch (PDOException $ex) {
            die('FATAL ERROR: ' . $ex->getMessage());
        }
    }

    public function query(
        $statement, array $values = array()
    ) {
        $smpt = parent::Prepare($statement);
        (empty($values)) ? $smpt->execute() : $smpt->execute($values);
        return $smpt;
    }
}

Inside any other php file:

define('IN_PROJECTNAME', 0);
require_once dirname(__FILE__) . '/path/to/pdo_driver.php';

$container = array();
$container['Connection'] = new ProjectName\App\Drivers\Entity();

$username = $_GET['username'];
$passwort = $_GET['passwort'];

if(empty($container['Connection']->query('SELECT passwort FROM ******.mikgames WHERE username = ?', [$username])->fetch()['passwort'])) {
    $container['Connection']->query('INSERT INTO ******.mikgames (username,passwort) VALUES (?, ?)', [$username,$passwort]);
}

score 0 · Accepted Answer · answered Jul 10 '16 at 12:55

Two Factors:

Firt Factor

You need to add an error output for debugging purposes:

$query = mysqli_query($con,"SELECT * FROM <tablename> WHERE     
         username='".$username."'") or die(mysqli_error($con));

I can't see a clear error with the information you have displayed here so far so you should also check what the value of $username acutally is and how closely it fits the value in the DB. Also read and take on board what the error output tells you.

Second Factor:

Your problem is you're running/articulating a query twice, here:

if($result==0) {
$abfrage = mysqli_query($con, "INSERT INTO ********.mikgames 
           (username,passwort) VALUES ('$username', '$passwort')");   
$result = mysqli_query($con,$abfrage);

You see $abfrage is a MySQL result object and you're then plugging it back into a MySQL query call, with the variable declaration $result. So your result is querying a query. This is an error.

What you probably want to do is use MySQLi_affected_rows to count how many rows have been inserted and run the appropriate IF clause:

if($result==0) {
    $abfrage = mysqli_query($con, "INSERT INTO ********.mikgames 
          (username,passwort) VALUES ('$username', '$passwort')");   
    $result = mysqli_affected_rows($con);
    echo 'true';
}
else {
    echo 'false';
}

score 0 · Answer 3 · answered Jul 10 '16 at 13:30

0

Use @mysql_***** for your ptoject.

$sql="SELECT * FROM table_name";
$result=@mysql_query($sql, $conn);
while ($name = @ mysql_fetch_array($result)){
    echo $name ['username'];
}

You just used simple mysql_***

answered Jul 10 '16 at 13:30

dre

23
8

PHP Register Script - check user exists not working

3 Answers3

Firt Factor

Second Factor: