Password Reset with Personal Verification

Question

I am new to php trying to learn something.I'm trying to write a script which allow users to reset password after they verify their personal info. Everything is working good except this php script. This script receives data from form input fields. The program was supposed to output:

echo $e.'&u='. $us .'&er='.$err.'&o='. $bulls3 .'&r='.$bulls4;


            exit(); 

which can be sent to ajax as respondText. The problem is this php script is not working as expected and giving me following error msg. Is there anyone who can help me out. Any help will be very much appreciated. Thank you in advance for help..

Error Output Message:

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\myGenius\identityverify.php on line 119 contact

<?php
// AJAX CALLS THIS CODE TO EXECUTE
if(isset($_POST["bd"])){
    $bad= preg_replace('#[^0-9-]#i', '', $_POST['bd']);
    //Connect to database
    include_once("php_includes/connect_to_mysqli.php");
    $e = mysqli_real_escape_string($db_conx,$_POST['e']);
    $c= preg_replace('#[^a-z ]#i', '', $_POST['c']);
    $post= preg_replace('#[^a-z0-9]#i', '', $_POST['pst']);
    $user= preg_replace('#[^a-z0-9]#i', '', $_POST['us']);
    $odd= preg_replace('#[^a-z0-9]#i', '', $_POST['od']);

    if($e =="" || $bad =="" || $c=="" ||$post==""){
        echo "empty";
        exit();
        }else if($user=="" || $odd==""){
            echo "no_exist";
            exit();
        }else{



    $sql = "SELECT id, username FROM user WHERE email='$e' AND activated='1' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $numrows = mysqli_num_rows($query);
    if($numrows > 0){
        while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
            $id = $row["id"];
            $u = $row["username"];  

//Encrypted values to check with user input passed from hidden fields           
                    //Check codes
            $bull= value1;
            $bull2= value2;
            $bull3= value3;
            $bull3=value4;
            $us= value5;
            $err= value6;

        }
        if($user==$us && $odd==$err){   


    $sql = "SELECT country, birthday, postal FROM useroptions WHERE email='$e' AND username='$u' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $numrows = mysqli_num_rows($query);
    if($numrows > 0){
        while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
            $con = $row["country"];
            $bday = $row["birthday"];
            $poost = $row["postal"];

        }


if($c == $con && $bad == $bday && $post==$poost){
// encoded value using some type of encryption for passing data to another web page based on user information data
                $bulls= value1;
                $bulls2= value2;
                $bulls1=value3;
                $bulls3= value4;
                $bulls4= value5;
                $bulls3=value6;
                $bulls4=value7;

            echo $e.'&u='. $us .'&er='.$err.'&o='. $bulls3 .'&r='.$bulls4;


            exit();
        }else{
            echo "wrong";
            exit();
            }

        }else {
        echo "contact";
        exit();
    }//user option not set
    }else{
        echo "no_exist";
        exit();
        }//end code comparison and send to error page
    }else{
        echo "no_exist";
        exit();
        }
        exit();
}}
?>

Answer 1

I always use two queries rather than making a server return everything that matches

1. select count(*) from database where condition='expected';
2. Perform a second query based on an if() clause validating the initial result.

This affords a precaution against injection since my main query hasn't been executed.

Try replacing

if(isset($_POST["bd"])){

With

if(!empty($_POST["bd"])){