0

I am creating a registration system, I already have the registration page set up with text fields, so far everything works except for checking if the email entered to the field is already in my db. The issue is in the part of the code where I select a table and check to see if something is in the table that matches the email I type in from the registration form, if I instead specify an email in the SELECT from table where email="email" and then write in the same email in the form, then it will work, of course that is kinda useless so I need it to check to see if the email the user typed into the system is the the db..

Here is the code.

<?php include'db.php'; ?>

<?php
//Set variables
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email_name = $_POST['newemail'];
$passw_name = $_POST['newpw'];
$pw_check   = $_POST['newpwconfirm'];

//Check to see if all fields are filled out.
if($first_name == ""){
    echo "Please Enter a First Name`".'<br>';
} elseif ($last_name == "") {
    echo "Please enter a last name, all fields need to be filled".'<br>';
} elseif ($email_name == "") {
    echo "Please enter a email, all fields need to be filled".'<br>';
} elseif ($passw_name == "") {
    echo "Please enter a password, all fields need to be filled".'<br>';
} elseif ($pw_check == "") {
    echo "Please confirm passwor, all fields need to be filled".'<br>';
} else {
    echo "works" . '<br>';
}


    //Get email from database if it exists we tell the db to get the email from the db that matches the email the user entered//
$getemail=mysqli_query($connect, 'SELECT * FROM user_info WHERE email="$email_name"');
    //Grab array and set to variable
$fetchEmail = mysqli_fetch_array($getemail);
    //Set the email part of array to a variable
$email_exist = $fetchEmail['email'];


    //Check to see if email from the database exists//
if($email_exist == $email_name){
    //if email in Database exitst then do block and let user know the email exists
    echo "sorry " . $fetchEmail['email'] ." is already registered in our system.";
    echo '<a href="../index.php">Try Again<a/>';
} else {
        //check to see if the passwords the user entered are matching
        if($passw_name != $pw_check){
            //If passwords dont match then generate en error.
            echo "sorry the password you entered did not match, please check anc try again";
            echo '<a href="../index.php">Try Again<a/>';
        }else {
            //if passwords match then add user data to database
            echo "it worked! Welcome to Fitcir";
        } 


}

?>
user2684521
  • 380
  • 4
  • 20
  • I should also mention the password checking part of the if statement does work, so if the passwords are not matching then it will execute that error – user2684521 Jan 20 '14 at 02:48
  • $email_exist,$fetchEmail are arrays you treat them like strings –  Jan 20 '14 at 02:49
  • 1
    Reverse your quotes. The single quotes cause the variable not to be interpolated. Use double quotes on the outer string and single quotes on the value inside the SQL string. – Michael Berkowski Jan 20 '14 at 02:49
  • 1
    This is, as you have it, vulnerable to SQL injection. You ought to be using [prepared statements in mysqli](http://php.net/manual/en/mysqli.prepare.php) with a bound parameter `WHERE email = ?` – Michael Berkowski Jan 20 '14 at 02:51
  • Really? I have no idea, not sure what you mean by WHERE email =? though. – user2684521 Jan 20 '14 at 02:56
  • 1
    Read the docs I linked on `mysqli::prepare()` The `?` will be explained in there. Also see the examples in [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Michael Berkowski Jan 20 '14 at 03:30

0 Answers0