0

I am trying to verify whether or not a username and email address exist in my database and have tried to do a if, elseif, else statement to no avail.

I want to first run a check to see if the username is fine - obviously if not, an echo statement will appear. If the username doesn't exist, run an elseif statement to see if the email address is unique - again if not, another echo statement will appear. For the final statement, if all other conditions return false, I want to run the below code so that the user's input is submitted to the database.

I initially tried to declare two variables with a statement to check if the username=$username and email_address=$email_address then check to see if the number of rows returned from a mysqli_query is more than 1 for the username. I entered an elseif statement with the same but for email address but then I had an else statement with the below code in {} brackets.

I have deleted the original code because too many errors were thrown up, and was probably too convoluted and messy when a more elegant way to do what I was exists.

Any help would be appreciated.

if(isset($_POST['submit']))
    {
$sql = "INSERT INTO users (first_name, last_name, username, email_address, password,    gender, city, country, verification_code, verified, sign_up_date) VALUES (
'$first_name',
'$last_name',
'$username',
'$email_address',
'$password',
'$gender',
'$city',
'$country',
'$verification_code',
'1',
'$sign_up_date')";
    $result = mysqli_query($conn,$sql);
    header("Location:confirmation.php");
}
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Dreamception
  • 1
  • 4
  • 1
    You could make the columns have the UNIQUE constraint. – Jay Blanchard Mar 10 '17 at 19:25
  • 1
    Where can I register my friend, [Bobby Tables](http://bobby-tables.com/)? – Siyual Mar 10 '17 at 19:26
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 10 '17 at 19:26
  • @JayBlanchard password is sha512 with two salts for encryption. – Dreamception Mar 10 '17 at 19:30
  • That is not good enough @Dreamception. PHP's functions supply random salts and a better hashing method than SHA512 – Jay Blanchard Mar 10 '17 at 19:31
  • @JayBlanchard duly noted. Thank you for the feedback - I will certainly investigate. – Dreamception Mar 10 '17 at 19:31
  • Start your investigation here (and make sure to read comments) https://security.stackexchange.com/questions/52041/is-using-sha-512-for-storing-passwords-tolerable – Jay Blanchard Mar 10 '17 at 19:35

3 Answers3

0

What you want is an integrity check on the data. You should do this check inside the database. The simplest way is with unique constraints/indexes:

create unique index unq_users_username on users(username);
create unique index unq_users_email on users(email);

If you attempt to insert or update a row so it violates these constraints, then your data modification step will fail with an error.

Gordon Linoff
  • 1,242,037
  • 58
  • 646
  • 786
  • Hi, I have added the unique constraint and it appears to not accept the data being submitted (step in the right direction). What PHP code would I need to have on the webpage to explicitly say to the user that there was an error and that the email address and/or username is already in use? – Dreamception Mar 10 '17 at 19:58
  • You need to capture the error and give the user an appropriate message. – Gordon Linoff Mar 11 '17 at 02:50
0

You need to create an index for them. Use The following command to create the index:

CREATE UNIQUE INDEX index_name ON table_name (column_name)

Check This Link for more info: https://www.w3schools.com/sql/sql_create_index.asp

Luiz Fernando Sousa Camargo
  • 325
  • 1
  • 4
  • 17
0

You could write a function to check your database first for example:

$errors = []; // you can add errors to this array.
if (isset($_POST['submit']))
{
    // first do your validation here against empty values and invalid email

    $sql = "SELECT * from users where email='$email' and username='$username'";
    $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) > 0) {
       $errors[] = "Username and email has been taken.";
    }

    if (!empty($errors))
    {
       // loop through your errors and echo them
    } else {
      // insert your values into the database 
    }
}
Amr Aly
  • 3,871
  • 2
  • 16
  • 33
  • So using error code 1062 in the array will check for the duplicate entry. I have just added this but it forwards to the redirect page: ` `result = mysqli_query($conn,$sql); ` if (mysqli_errno($result) == 1062){ ` echo "username/email address already in use"; ` } else { ` header("Location:confirmation.php"); ` } ` } ` – Dreamception Mar 10 '17 at 20:15
  • If you use the UNIQUE constraint then this code wont work this code is simple it just checks if you have any records with the same values passed to it. if so it will not insert it since the inserting process in `else` statement. – Amr Aly Mar 10 '17 at 20:22
  • I have just tried your code and I am getting an unexpected '}' for the line after the first if statement. – Dreamception Mar 10 '17 at 20:24
  • forgot semi colon. added it. – Amr Aly Mar 10 '17 at 20:29
  • Almost there. Just one more error to fix: Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given – Dreamception Mar 10 '17 at 20:39
  • forgot * sorry about that. – Amr Aly Mar 10 '17 at 20:44
  • sorry. I am not. but would you tell me what problem you are facing? – Amr Aly Mar 10 '17 at 20:57
  • HI Amr, I have just sent you an e-mail to your Yahoo e-mail address that is on your Stack Overflow. Issue remains the same as previously stated but I am half suspecting it is because of the unique key identifier on the field in the table. – Dreamception Mar 10 '17 at 21:00