0

Can't seem to figure this out, don't know if it's because I am using v5+ but the "mysqli_num_rows($result) > 0" isn't working as it's suppose to... yet it's still injecting the variables into the database.

The error I am receiving is " Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\lichie\register.php on line 22 "

Other examples I've seen on stackoverflow work off of the "mysql_query" method but I am trying to it with "mysqli_query".

Here is the code:

<?php

include "connect_db_users.php";

@$username = strtolower($_POST['user']);
@$email = strtolower($_POST['email']);
@$pass = $_POST['pass'];
@$confirmPass = $_POST['confirmPass'];

$ins_user = "INSERT INTO lichie_user(user_user,user_pass,user_email, user_date)"
            . "VALUES ('" . $username . "' , '" . $pass . "' , '" . $email . "' , NOW())";

if(isset($_POST['submit'])){
    if($username == !''){
        if($email == !''){
            if($pass == !''){
                if($pass == $confirmPass){

                    $query = 'SELECT user_user FROM lichie_user WHERE user_user=$username';
                    $result = mysqli_query($connect,$query);

                    if (mysqli_num_rows($result) > 0){
                        echo "Username already exists!";
                    }else{
                        if(mysqli_query($connect, $ins_user)){
                            mysqli_close($connect);
                            /*header("Location: Success.php");*/
                            echo "INSERTED";
                        }else{
                            echo "FAILED!";
                        }
                    }

                }else{
                    echo "Passwords do not match!";
                }
            }else{
                echo "Password can not be empty!";
            }
        }else{
            echo "Email can not be empty!";
        }
    }else{
        echo "Username can not be empty!";
    }
}




?>




<form method="POST">

    <h2 align="center"> Register</h2>

    <table id="table1"; cellspacing="5px" cellpadding="5%"; align="center">

            <tr>
                <td align="right">Username:</td>
                <td><input type="text" name="user" /></td>
            </tr>

            <tr>
                <td valign="top" align="right">Email:</td>
                <td><input type="email" name="email" /></td>
            </tr>

            <tr>
                <td valign="top" align="right">Password:</td>
                <td><input type="password" name="pass" autocomplete="off" /></td>
            </tr>

            <tr>
                <td valign="top" align="right">Confirm Password:</td>
                <td><input type="password" name="confirmPass" autocomplete="off"/></td>
            </tr>

            <tr>
                <td><input type="submit" name="submit" value="submit"/></td> 
            </tr>

    </table> 
</form>
Dean Byron
  • 31
  • 6
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Feb 15 '16 at 18:29
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Feb 15 '16 at 18:29

1 Answers1

1

Your select query is wrong. You are missing ' around $username.

Try this one : 

$query = "SELECT user_user FROM lichie_user WHERE user_user='$username'";

Also refer this : How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Mr. Engineer
  • 3,522
  • 4
  • 17
  • 34
  • Perfect! Can't believe I didn't see it! Thank you! :) Will have a look into the SQL-injection - You are the best ;) – Dean Byron Feb 15 '16 at 18:39