Checking DB

[ecabrera]

Ok so the code is suppose to check if the email enter is in the database after that it checks the username but it wont work. It just inserts it

if(isset($_POST['submitbtn'])){

//checks if the email already is in the db
$check = "SELECT * FROM `users` WHERE `email` = '$email'";
$sql = mysqli_query($db,$check);
$emailreturn = mysqli_num_rows($sql);
if($emailreturn != '1'){

//check to see if the username is good
$checkuser = "SELECT * FROM `users` WHERE `username` = '$username'";
$sqluser = mysqli_query($db,$checkuser);
$usernamereturn = mysqli_num_rows($sqluser);
if($usernamereturn != '1'){

//everything is good and account is created
$insert = "INSERT INTO `users`(`firstname`, `lastname`, `email`, `password`, `username`, `date_register`) VALUES ('$firstname','$lastname','$email','$password','$username','$now')";

$query = mysqli_query($db,$insert);

$emsg = "Please verify your email address.<br>";

}else{
$emsg = "Username is not available!<br>";
}
}else{
$emsg = "Email already used!<br>";
}

}

[mac_gyver]

i don't see where you are setting the $email or $username variables, so are they empty, which would insure that your queries don't match any rows?

[ecabrera]

require "scripts/db.ini.php";

$emsg = "";

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$now = date("m-d-Y");

//making sure the passwords are hash
$password = md5($password);

This goes before the code i posted

[mac_gyver]

the code referencing the $_POST variables needs to be all after the if(isset($_POST['submitbtn'])){ line.

 

there's several possible problems for the code not working -

 

1) your form doesn't contain username/email fields with those exact names (spelling or capitalization) or the form is otherwise broken and could only be setting $_POST['submitbtn'].

 

2) your queries could be failing, in which case the num_rows values will be zero or perhaps null, i don't recall, both of those would be considered not equal to 1. one possible reason for the queries to fail is if the username/email contains sql special characters that are breaking the sql syntax (because the insert apparently is working, this is not the case, but you should ALWAYS escape string data being put into a query to prevent sql injection and errors OR use prepared queries.)

 

3) due to prior testing, you could have more than one row in your database table with the same username/email you are entering and num_rows is returning a value > 1, which of course is not equal to 1.

 

some suggestions to address these -

 

1) your code MUST validate user supplied input. if your code already had validation logic and it was telling you the username or the email is empty, that would help you troubleshoot where the problem is occurring at.

 

2) you MUST always test if queries are working or not before attempting to use the result form the queries. if your error checking logic says the query ran without any errors, you will know the num_rows value is valid and can be used.

 

3) your database table definition should enforce uniqueness. this will prevent duplicate values. also, you should use positive, fool-proof logic. there are several values that are not equal to 1 (-1, 0, 2, ...). your code should use a comparison that will only be true for the desired value(s.) in this case the num_rows values should be == (equal to) zero.