-1

I am trying to make a simple register page where users register with username, email, password and gender. I somehow stumbled over some problems, the code I made seems to let users register with a username or e-mail that already exists. I tried to prevent this in my code but it doesn't seem like it worked.

What am I doing wrong?

Here is the whole code:

<?php
session_start();
if (isset($_SESSION['user'])!="") {
    header("Location: index.php");
}
include 'includes/config.php';

if(isset($_POST['btn-signup'])) {

    $username = strip_tags($_POST['username']);
    $username = strtolower($_POST['username']);
    $email = filter_var($_POST['email'],FILTER_SANITIZE_EMAIL);
    $email = filter_var($email,FILTER_VALIDATE_EMAIL);
    $email = strip_tags($_POST['email']);
    $password = strip_tags($_POST['password']);
    $current_time = strtotime("now");
    $username = $con->real_escape_string($username);
    $gender = $con->real_escape_string($_POST["gender"]);
    $email = $con->real_escape_string($email);
    $password = $con->real_escape_string($password);

    $hashed_password = password_hash($password, PASSWORD_DEFAULT); // this function works only in PHP 5.5 or latest version

    $check_username = $con->query("SELECT * FROM users WHERE username='$username' LIMIT 1");
    $check_email = $con->query("SELECT * FROM users WHERE email='$email' LIMIT 1");

        if(count($_POST)>0) {

    if(!isset($msg)) {
    }
    if($_POST['username'] === $check_username){ 
    $msg = 'Username already exists<br>'; 
    }

    if($_POST['email'] === $check_email){ 
    $msg = 'Email already exists<br>'; 
    }    

    if($_POST['password'] != $_POST['confirm_password']){ 
    $msg = 'Password doesnt match<br>'; 
    }


    if(!isset($msg)) {
    if (!filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
    $msg = "Invalid e-mail";
    }
    }

    if(!isset($msg)) {
    if(!isset($_POST["gender"])) {
    $msg = " Gender field is required";
    }
    }
    }

    if(!isset($msg)) {
        $query = "INSERT INTO users(username,email,password,gender,joined) VALUES('$username','$email','$hashed_password','$gender','$current_time')";
                if(mysqli_query($con, $query)){
                $msg = "You have registered successfully!"; 
                } else{
                $msg = "Could not register your account. Try Again!";
                }
    }
}
    $con->close();
?>
<!DOCTYPE html>
<html>
<head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
    <title>Register</title>
</head>
<body>
    <div class="signin-form">
        <div class="container">
            <form class="form-signin" id="register-form" method="post" name="register-form">
                <h2 class="form-signin-heading">Sign Up</h2>
                <hr>
                <?php
                if (isset($msg)) {
                echo $msg;
                 }
                 ?>
                <div class="form-group">
                    <input class="form-control" name="username" placeholder="Username" required="" type="text">
                </div>
                <div class="form-group">
                    <input class="form-control" name="email" placeholder="Email address" required="" type="email"> <span id="check-e"></span>
                </div>
                <div class="form-group">
                    <input class="form-control" name="password" placeholder="Password" required="" type="password">
                </div>
                <div class="form-group">
                    <input class="form-control" name="confirm_password" placeholder="Confirm password" required="" type="password">
                </div>
                <div class="form-group">
                    <select class="form-control" id="gender" name="gender">
                        <option disabled hidden="" selected>
                            Select
                        </option>
                        <option>
                            Male
                        </option>
                        <option>
                            Female
                        </option>
                    </select>
                </div>
                <hr>
                <div class="form-group">
                    <button class="btn btn-default" name="btn-signup" type="submit"><span class="glyphicon glyphicon-log-in"></span> &nbsp; Create Account</button> <a class="btn btn-default" href="index.php" style="float:right;">Log In Here</a>
                </div>
            </form>
        </div>
    </div>
</body>
</html>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Martin
  • 39
  • 7
  • 1
    Maybe set those fields as UNIQUE in database and try to put them in with `INSERT IGNORE` and then check `mysqli_affected_rows($db)`? If it will be `0`, would mean that it wasn't unique :-) – Flash Thunder Mar 04 '17 at 15:08
  • the code seems correct .. you have a test case ?? – ScaisEdge Mar 04 '17 at 15:13

1 Answers1

-1

The problem is that you do not fetch your result from the sql result.

So $con->query($sqlQuery); will return a PDOStatement object. You can't compare a such object with a string. So first you need to extract the string. This will work like this:

$check_username_result = $con->query("SELECT * FROM users WHERE username='$username' LIMIT 1")
$check_username = $check_username_result->fetch_array()[0];

$check_username will now hold the value of the username and you can compare it as you do.

Larce
  • 841
  • 8
  • 17
  • That would give me this error: Call to undefined method mysqli_result::fetch() – Martin Mar 04 '17 at 15:55
  • @Martin i'm so sorry, i tought you were using pdo. In mysqli it's fetch_array(). I changed the code. See here for more information: http://php.net/manual/en/mysqli-result.fetch-array.php – Larce Mar 04 '17 at 16:24