Jump to content

Recommended Posts

Hello all,
 
if (isset($_POST['resetpassword'])) {
    //$sql = "SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1";
	$result = mysql_query("SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1");
    // Help needed here
        echo "Password has been sent to <b>{$_POST['email']}";
    } else {
        echo "mail does not exist;
    }
}

I have a form that when submitted I would like to check an email exists and then prints yes or no, I have been trying different methods to try and check how to do this? I am very new to learning and I have tried  numerous ways but keep showing as not working... Any help or suggestions would really help me to understand this really simple yet troubling query for me!!

 

Thank you in advance for your help

Link to comment
https://forums.phpfreaks.com/topic/298881-check-database-for-a-value/
Share on other sites

You don't check anything. You set up a UNIQUE constraint on the e-mail column, try to insert the new row, and if that leads to a constraint violation, you know the e-mail address is already taken. See this post:

 

Using UNIQUE constraints to prevent duplicate values.

 

Also see my comment in your previous thread:

 

Your code is wide open to SQL injection attacks.

Thanks for your suggestion - Interesting I didn't think to try this.

if (isset($_POST['resetpassword'])) {
    if ($mysqli->connect_errno) {
        echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
        exit();
    }
    $sql = "SELECT email FROM users WHERE email LIKE '{$_POST['email']}' LIMIT 1";
    if ($result = $mysqli->query($sql)) {
        $user = $result->fetch_array();
    } else {
        echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
        exit();
    }
    if ($result->num_rows == 1) {
        echo "<font color=green><p>Password has been sent to <b>{$_POST['email']}</b></p></font>";
    } else {
        echo "<font color=red><p>Email does not exist</p></font>";
    }
}

I rewrote my code and tried using mysqli and I was able to make my code now work! Why would your idea be better than what I have wrote, all it's doing is checking a value? Just trying to understand if theres a security problem or it's just another way of doing it?

Your code does not work. Read the post I linked to.

 

Web applications have to handle many requests at the same time, so you can run into the following scenario: Request A and request B both choose the same e-mail address, and this address isn't used yet. Your code checks the database, doesn't find the e-mail address and tells A that it may use the address. At the same time, your code does the database check for B and tells B that it may use the address. So now both A and B get permission to use the same address. In the worst case (you have no additional UNIQUE constraint), you'll end up with a duplicate address despite your check.

 

This isn't just a theoretical problem. You can actually test this by sending parallel requests, and you'll quickly find duplicates in your database.

 

Of course you may try to ignore your bug if you have extremely low traffic and don't care about data integrity. But I wouldn't recommend it. Write correct code instead of trying to get away with bugs.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.