PHP mysql bug query

Question

Hi guys i've been working for straight 12 hours, i can't seem to find fix. i'm trying to compare user-input to database result for example $username == $result echo "Username is aldready taken, but the problem is it's passing through 2 statements without a break, and if i put a break to exit the loop, it always check for $email == $result2 despite of not entering any email in the field.

if (isset($_POST['username']) or isset($_POST['email'])) {
    $extract = mysql_query("
        SELECT
          `username`, `email`
        FROM `users`
        WHERE `username`='$username' OR `email`='$email'
    ");

    $resultq = mysql_num_rows($extract);
    while ($row = mysql_fetch_array($extract)) {

        $result = $row['username'];
        $result2 = $row['email'];

        echo " " . $result;
        echo " " . $result2;

        if ($username == $result) {
            echo " Username is already Taken!";
            //  break; //whenever i put break, it always gives me the else if statement echo, despite not entering any email in the field
        } //$pass = $_POST['pass'];
        else if ($email == $result2) {
            echo "Email Address is already used!";
            //  break;
        } else {
        }
    }
}

Explain to me how this is different from [mysql phpmyadmin User Input COMPARE database](http://stackoverflow.com/questions/18407734/mysql-phpmyadmin-user-input-compare-database) - You can use a variation of my solution for this as well... — Marty McVry, Aug 24 '13 at 09:59

score 2 · Answer 1 · answered Aug 24 '13 at 03:08

Upgrade from mysql to either MySQLi, or PDO.

However;

$extract= mysql_query("SELECT username, email FROM users where username='$username' or email='$email'");

$resultq = mysql_num_rows($extract);
    if($resultq > 0) {
       echo 'Either your username, or email is already taken!';
       return;
    }

Kai Qing · Answer 2 · 2013-08-24T18:54:14.613

See sniko for the answer to your initial problem. However, see the following...

You're not defining $username or $email

if ($username == $result ) should be

if ($_POST['username'] == $result )

or you could define $username and $email at the beginning of the conditional.

You should also change this:

isset($_POST['username']) or isset($_POST['email'])

to this:

isset($_POST['username']) && isset($_POST['email'])

because you depend on both in your query.

and as sniko said, switch to mysqli or PDO. mysql_ is deprecated.

full sample:

if(isset($_POST['username']) && isset($_POST['email']))
{
    $username = $_POST['username'];
    $email = $_POST['email'];

    $extract= mysql_query("SELECT username, email FROM users where username='$username' or email='$email'");

    $resultq = mysql_num_rows($extract);
    if($resultq > 0) {
       echo 'Either your username, or email is already taken!';
       return;
    }

}

Also note, you're not sanitizing the input. You could be hacked with this input. switching to mysqli or pdo and using prepared statements would help this.

i have this before the if statement, is this the same? $email = $_POST['email']; $username = $_POST['username']; — Daryl, Aug 24 '13 at 03:14
yes it's pretty much the same as far as assignments go, but you still call both in the query so you need to either separate that into two queries or make both fields required — Kai Qing, Aug 24 '13 at 03:16
i'm going crazy, i'm thinking how can websites determine if either email or username or just both are used... it's seems impossible to not have any solution to this, but i can't find the answer :( i'm so bothered by this i can't move on — Daryl, Aug 24 '13 at 03:22

PHP mysql bug query

2 Answers2