-2

How do I check if the email is already in use? If in use, the user will be alerted that email is already used, if not, it would proceed.

here in my codes, it did not work, it still registered even if i inputted the same email.

<?php

session_start();


$con=@mysql_connect("localhost","root","secretpassword");
$dbcheck = mysql_select_db("buybranded");

    if (!$dbcheck) {
        echo mysql_error();
    }


$new_email= $_POST['email'];
$xxx = mysql_query("SELECT email FROM users WHERE email = $new_email");
$yyy = mysql_fetch_row($xxx);

if(!isset($yyy['email'])){

$hashed_password = hash( 'sha512', $_POST['password'] );
$type="customer";
$sql="INSERT INTO users(first_name, middle_name, last_name, gender, email, password, birth_date, home_address, postal_code, home_phone, mobile_phone, source, type)
VALUES 
('$_POST[first_name]','$_POST[middle_name]','$_POST[last_name]','$_POST[gender]','$_POST[email]','$hashed_password','$_POST[birth_date]','$_POST[home_address]','$_POST[postal_code]','$_POST[home_phone]','$_POST[mobile_phone]','$_POST[source]','$type')";
} 

else {
echo "hahaha";
}

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error($con));
  }

header('refresh: 0; url=../index.php#openModal');
$message = "You are now Registered, Please Sign In.";
echo("<script type='text/javascript'>alert('$message');</script>");

?>

I hope you guys can help, i am new with php. :) thank you!

Jost
  • 5,948
  • 8
  • 42
  • 72
Vince Agno
  • 81
  • 2
  • 7
  • 2
    You really shouldn't use `mysql_` functions for new projects as it's deprecated. Switch to `mysqli` or PDO instead. – TheWolf Oct 03 '14 at 14:19
  • 3
    And don't post passwords! – Jost Oct 03 '14 at 14:20
  • 1
    What happens when I type this in your email input `1 OR 1=1` ? – Daan Oct 03 '14 at 14:21
  • Per this: http://stackoverflow.com/questions/700227/whats-quicker-and-better-to-determine-if-an-array-key-exists-in-php Try using array_key_exists() instead of isset. – Mark Oct 03 '14 at 14:22
  • @Daan well nothing, since [mysql_query](http://php.net/manual/en/function.mysql-query.php) only supports a single query "(multiple queries are not supported)". But that's definitely not the point – sjagr Oct 03 '14 at 14:23
  • @sjagr Didn't know that but I made my point. – Daan Oct 03 '14 at 14:24
  • 1
    @sjagr: -infinity. `where email=1 or 1=1` is not "multiple queries". The classic "bobby tables" attack won't work, but you can STILL cause the query to fail at a meta level. – Marc B Oct 03 '14 at 14:34
  • @MarcB He had an edit before that was an attempt at running multiple queries. – sjagr Oct 03 '14 at 14:40
  • 2
    @VinceAgno I hope the password you posted was just a random string of characters. But if not, you should *really* **change your password**. – Luke Willis Oct 03 '14 at 14:47

1 Answers1

1

Your query has a syntax error, causing all queries to fail. You also fail to check for failure, so you're simply assuming everything will keep working:

$xxx = mysql_query("SELECT email FROM users WHERE email = $new_email");
                                                          ^---------^--- no quotes

This will produce

... WHERE email = foo@exam

ple.com

and I highly doubt you have a foo@example.com column in your users table.

$xxx = mysql_query("SELECT email FROM users WHERE email = '$new_email'") or die(mysql_error());
                                                          ^----------^--

Note the quotes here, and the addition of the or die(...).

You then have further logic bugs. $sql only gets set if the first query DOESN'T return any valid data. But then you unconditionally try to execute that `$sql varaible, even if it never got set.

if (...) {
   $sql = "INSERT ...";
}
mysql_query($sql);

Since it only gets set if the email DIDN'T exist, you blindly try to execute a non-existent query, and THAT query() call then fails as well. The code should be more like:

if (...) {
   $sql = "INSERT..."
   mysql_query($sql) or die(mysql_error());
   die("Email created");
}
die("Email not created");

And on top of all this, you're vulnerable to sql injection attacks

Marc B
  • 356,200
  • 43
  • 426
  • 500