User Name is not taking from Dataabase

Question

I'm new to php. I've some problem. I get the value of username with ($_GET) variable. Let's suppose if some one enter (mehwish) in url. I want to check if the username entered by user is available or not in the database. My code below doesn't work. Correct my mistake if there's any. Thank you for your support.

<?php include("header.php");
    include("classes/db.php");
    session_start();
    $username="";
    if(isset($_GET['username']))
    {
        $user=$_GET['username'];
        if("SELECT user_name FROM user_reg WHERE user_name='$user'")
        {
            $username="SELECT user_name FROM user_reg WHERE user_name='$user'";
            $run_username=mysqli_query($con,$username);
            $row=mysqli_fetch_array($run_username);
            $username=$row['user_name'];
        }
        else
        {
            die("User does nto exist");
        }
    }
    ?>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jul 08 '17 at 11:11
Sorry actually i'm beginner to this field and don't know about sql injection . will you please suggest me a course or video link to study it . thank u — Mehwish Tariq, Jul 08 '17 at 11:18

Gyan · Accepted Answer · 2017-07-08T11:46:13.400

0

Use something like this :

<?php 
session_start(); //This always need to be first line of code
include("header.php");
include("classes/db.php");

$username="";
if(isset($_GET['username']))
{
    $user = mysqli_real_escape_string($con,$_GET['username']);
    //get data from table using the passed user name in the url
    $checkUser = mysqli_query($con,"SELECT user_name FROM user_reg WHERE user_name='$user'") or die(mysqli_error($con));
    //return number of rows from the above query
    //if more than 0 means user exist in database table
    if(mysqli_num_rows($checkUser)>0)
    {
        $row = mysqli_fetch_array($checkUser);
        $username = $row['user_name'];
        //use like this to store in session using $_SESSION global variable
        $_SESSION["firstname"] = $row["firstname"]; //firstname - column name in table
        $_SESSION["lastname"] = $row["lastname"];
        $_SESSION["email"] = $row["email"];
    }
    else
    {
        echo "User does not exist";
    }
}
?>

edited Jul 08 '17 at 11:46

answered Jul 08 '17 at 11:01

Gyan

498
6
10

Please test it with `$_GET['username'] = "'; drop table user_reg; ''";` – colburton Jul 08 '17 at 11:03
@Gyan will you please discuss this step actually i'm beginner i don't understand what it mean .. thanks code is here if(mysqli_num_rows($checkUser)>0) – Mehwish Tariq Jul 08 '17 at 11:07
@Mehwish Tariq : Please check the comments in the answer. Thanks. – Gyan Jul 08 '17 at 11:11
Thank you Gyan for your support – Mehwish Tariq Jul 08 '17 at 11:12
1

This reads more like a game of spot-the-difference than an answer. What did you change? Why should it fix the problem? – Quentin Jul 08 '17 at 11:12
@Mehwish Tariq : use mysqli_real_escape_string. This won't solve every problem, but it's a very good stepping stone. – Gyan Jul 08 '17 at 11:26
now i want to show first,last,email of this user with session how to edit this query . @Gyan – Mehwish Tariq Jul 08 '17 at 11:34

pro_cheats · Answer 2 · 2017-07-08T11:20:20.590

Try to do something like this -

<?php
//checking for GET variable
if(isset($_GET['username'])) $user=$_GET['username'];
else exit("Username is missing");

//IGNORE this if your DB connection is set from other files
//If so make a connection call and get the connection object.
$servername = "localhost";  //your db servername
$username = "username";   //your db username
$password = "password";   //your db password
$dbname = "myDB";   //your db name

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

//Your Query
$sql = "SELECT user_name FROM user_reg WHERE user_name='$user'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    //  found a row with the user entry.
    //  then the username exists in the database.
    echo "Valid User";

} else {
    echo "User not found";
}
$conn->close();
?>

This reads more like a game of spot-the-difference than an answer. What did you change? Why should it fix the problem? — Quentin, Jul 08 '17 at 11:11

score 0 · Answer 3 · answered Jul 08 '17 at 11:11

0

<?php 
$username="";
if(isset($_GET['username']))
{
$user=$_GET['username'];
$checkUser = mysqli_query($con,"SELECT user_name FROM user_reg WHERE 
user_name='$user'") or die(mysqli_error($con));
$row=mysqli_fetch_assoc($checkUser);
if(mysqli_num_rows($checkUser)>0){
    $username = $row["user_name"];
}else{
    echo "User does not exist";
}
}
?>

answered Jul 08 '17 at 11:11

Palani Samy

169
9

1

This reads more like a game of spot-the-difference than an answer. What did you change? Why should it fix the problem? – Quentin Jul 08 '17 at 11:11

score -1 · Answer 4 · answered Jul 08 '17 at 11:07

You've many mistakes in your code.Try something like this:

    <?php include("header.php");
        include("classes/db.php");
        session_start();
        $username="";
        if(isset($_GET['username']))
        {
            $user=$_GET['username'];
            $q = "SELECT user_name FROM user_reg WHERE user_name='$user'";
            $res = mysqli_query($con, q);
            if(mysqli_num_rows($res) > 0)
            {
                while ($row = mysqli_fetch_array($res, $con)) {
                     //Show what you want here..
                }
            }
            else
            {
                echo "User does nto exist";
            }
        }
 ?>

This reads more like a game of spot-the-difference than an answer. What did you change? Why should it fix the problem? — Quentin, Jul 08 '17 at 11:12

User Name is not taking from Dataabase

4 Answers4