Php mysqli user_exists not working at all

Question

I have tryed this many many times and i don't get why this don't work. Because of this my registeration pages pass all usernames. I have no idea what is wrong. Sorry about my bad english i am really tired and desperate

function user_exists($username){
$username = htmlspecialchars($username);
$sql = "SELECT username FROM ***** WHERE username = '$username'";
$result = mysqli_query($GLOBALS['$db'], $sql);
if(mysqli_num_rows($result) > 0){
    $errors[] = 'Käyttäjätunnus \''. $_POST['username'] . '\' on jo otettu.';
}

}

I am calling that function like this:

if(user_exists($_POST['username']) === true){
        $errors[] = 'Käyttäjätunnus \''. $_POST['username'] . '\' on jo otettu.';
    }

and you are calling that function how exactly? probably a variable scope. — Funk Forty Niner, Aug 17 '16 at 18:11
For starters, you have a SQL injection vulnerability. What is the runtime value of the query being executed? In what specific way does this not work as expected? — David, Aug 17 '16 at 18:11
`htmlspecialchars` doesn't help with SQL injections and might change what your username becomes. Does `$sql` output and execute (on DB directly) as expected? — chris85, Aug 17 '16 at 18:12
First comment on the scene has yet to be answered. Don't post code in comments please, edit your question to contain it. — Funk Forty Niner, Aug 17 '16 at 18:14
I am not getting any errors. It's just pass and allow user register in same username over again — Nasse, Aug 17 '16 at 18:15
Your function isn't returning `true` or `false`, it currently returns nothing. For how to prevent SQL injections see: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php. — chris85, Aug 17 '16 at 18:15
possible duplicate of [Reference: What is variable scope, which variables are accessible from where and what are “undefined variable” errors?](http://stackoverflow.com/questions/16959576/reference-what-is-variable-scope-which-variables-are-accessible-from-where-and) — Funk Forty Niner, Aug 17 '16 at 18:16
Do `if(mysqli_num_rows($result) > 0){ return true; } else { return false; }` — chris85, Aug 17 '16 at 18:19
If the usernames aren't inserted with the htmlspecialcharacters, you'll always fail matching them, please post the insertion code — Gar, Aug 17 '16 at 18:25

score 0 · Answer 1 · edited Sep 16 '17 at 16:09

Well, let's clean this up some

function user_exists(mysqli $db, $username){
    $username = htmlspecialchars($username);
    $sql = "SELECT username FROM ***** WHERE username = ?";
    $prep = $db->prepare($sql);
    $prep->bind_param('s', $username);
    $prep->execute();
    $result = $prep->get_results();
    $errors = [];
    if($result->num_rows > 0){
        $errors[] = 'Käyttäjätunnus \''. $username . '\' on jo otettu.';
    }
    return $errors;
}

First, you need to inject your DB connection into the function. Avoid using globals.

Second, we're switching to a prepared statement. Solves the SQL injection problem.

Third, we're returning an array. Your errors will never show up the way you were doing it. You can pick how/what gets returned, but, again, we don't want globals.

Php mysqli user_exists not working at all

1 Answers1