-3

My problem being this:

 <?php
 function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT_COUNT('user_id') FROM `user` WHERE `username` = '$username'"), 0) == 1) ? true : false;
 }
 ?>

As you can see I have included my database name which IS correct and the user DOES exist and this is where I am calling it to pull from sql:

<?php
include 'core/init.php';

if (user_exists('dan') === true) {
echo 'exists';
} 

 die();

if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];

if(empty($username) === true || empty($password) === true {

    $errors[] = 'You need to enter a username and password';
} else if (user_exists($username) === false) {
    $errors[] = 'Sorry this user does not exist';
}
}
?>

I am not sure why I am getting a blank page and it isn's showing the message to say the user exists?

Dan
  • 17
  • 6
  • 1
    Use of the `mysql_*` functions in PHP is discouraged in favor of [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) ([find out why](http://stackoverflow.com/questions/12859942)) – Amelia Mar 30 '13 at 12:45
  • 2
    What is die(); doing in the open? ;) – dbf Mar 30 '13 at 12:55
  • @dbf - this function has been taken out now but im still getting the blank page – Dan Mar 30 '13 at 13:08

3 Answers3

1

here might be your syntax error which could not be fire 

(mysql_result(mysql_query("SELECT_COUNT('user_id') FROM `user` WHERE `username` = '$username'"), 0) == 1) ? true : false;

give space between SELECT COUNT remove underscore "_" because it will give you mysql error

Mufaddal
  • 5,398
  • 7
  • 42
  • 57
1

Aside from that silly typo in your query, the way you are using mysql API is indeed a terrible one.
Some critical flaws to be noted

  • whatever "sanitize" function used to build a query should add quotes around returned value. Otherwise it will do no good and lead you to injection.
  • you aren't checking for the mysql errors
  • you are writing your code in one line making it extremely hard to read.

What it should be at the very least

function user_exists($username) {
    $username = sanitize($username); // remember it should add the quotes
    $sql = "SELECT COUNT(1) FROM `user` WHERE `username` = $username";
    $res = mysql_query($sql) or trigger_error(mysql_error().$sql);
    $row = mysql_fetch_row($res);
    return !empty($row[0]);
 }

I am not sure why I am getting a blank page.

Most likely it is caused by some PHP error.
Either tell PHP to show them on-screen or peek into server error log to read the error message

Or there is no such user in the database.

So, make your code like this

<?php
ini_set('display_errors',1);
error_reporting(E_ALL);

echo "testing<br>";

include 'core/init.php';

if (user_exists('dan')) {
   echo 'exists';
} else {
   echo 'not found';
}
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Ok thank you for pointing out the problems, I kinda knew there where some security issues but thanks for the updated code, however the problem still exists? – Dan Mar 30 '13 at 12:55
  • He's getting a blank page because of the `die();` most likely. – Amelia Mar 30 '13 at 12:59
  • I have taken out the die(); but the blank page keeps returning and not clarifying that the user exists, now the database is connected because if change the password it comes back with errors – Dan Mar 30 '13 at 13:06
  • @Your Common Sense - The code you have provided now does show the testing but regardless of what I put into the form. – Dan Mar 30 '13 at 13:11
  • You know I was including my ini.php file well here is the code in there if it helps... – Dan Mar 30 '13 at 13:13
  • well it appears there is an error judging by your code because im getting testing returned. The user exists though? – Dan Mar 30 '13 at 13:15
  • I have checked everything and my user exists, it is connecting to the correct db otherwise if i change the password it fails to load the site. I have used you code and it pointing to the correct locations, what on earth is missing? :S – Dan Mar 30 '13 at 13:19
  • No wonder. With error_reporting(0); you will have to guess for ages. – Your Common Sense Mar 30 '13 at 13:21
0

The problem is here

 SELECT_COUNT('user_id')
       ^

should be

 SELECT COUNT('user_id')
Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
  • The issue still exists even with remove the underscore... – Dan Mar 30 '13 at 12:44
  • I have double checked it it taking it from the correct table name and username is a field which I have populated a user called dan under username – Dan Mar 30 '13 at 12:47