0

I want to check if record exists and if it does then go to page A, otherwise go to page B. But it just always goes to page A whether there is a record or not.

<?php
$ini = parse_ini_file("../phpconfig.ini");

$conn = mysqli_connect($ini['hostaddress'], $ini['username'], $ini['password'], $ini['databasename']);

if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$options = ['cost' => 10,];

$number = mysqli_real_escape_string($conn, $_POST['number']);
$password = password_hash((mysqli_real_escape_string($conn, $_POST['password'])), PASSWORD_BCRYPT, $options);

$sql = "INSERT INTO usertemp (Employee_Number, Password)
VALUES ('$number', '$password')";

if (mysqli_query($conn, $sql)) {

    $sql2 = "SELECT EXISTS(SELECT 1 FROM employee WHERE Number = '$number')";
    $row2 = mysqli_query($conn, $sql2);

        if (mysqli_num_rows($row2) > 0) {
            //Has record in Employee table
            header("location: display_createaccount_a.php");
        } else {
            //No record in Employee table
            header("location: display_createaccount_b.php");
        }

} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

mysqli_close($conn);
?>
iamlawrencev
  • 115
  • 1
  • 8
  • 3
    The salt option for the password_hash() function has been deprecated so that the developers do not generate their own (usually insecure) salts. The function itself generates a cryptographically secure salt, when no salt is provided by the developer - thus custom salt generation is not required any more. PHP 7, at somepoint u will need to upgrade to that version, better start following its guidelines – Masivuye Cokile Nov 17 '16 at 16:15
  • 1
    Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Nov 17 '16 at 16:20
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Nov 17 '16 at 16:20

1 Answers1

1

Your SELECT EXISTS(...) is always going to return 1 row with true or false.

In this case, read the first index of the result and use that as your conditional value.

or better yet, use LIMIT instead and keep your app logic as it is:

$sql2 = "SELECT * FROM employee WHERE Number = '$number' LIMIT 1";

Also, I recommend checking out the PHP documents on prepared statements. This is a safer way of querying mysql.

AJ X.
  • 2,729
  • 1
  • 23
  • 33