Error trying to check if user exists in the database PHP

Question

I was trying to create a restriction, to when you put a username or a email that already exists in the database, show up a message saying that already exists. But when i try it simply ignore the code.

<?php

include 'config.php';

$sql_en = mysqli_query($conn, "SELECT `password`, `method` FROM `encryption`");

if (mysqli_num_rows($sql_en) > 0) {
    while($row = mysqli_fetch_assoc($sql_en)) {
        $password = $row["password"];
        $method = $row["method"];
    }
} else {
    echo "Error to find the keys to encrypt!";
}

if (isset($_POST["u_btn"])) {
    $u_name = $_POST["u_name"];
    $u_email = $_POST["u_email"];
    $u_pass = $_POST["u_pass"];

    if (empty($u_name) || empty($u_email) || empty($u_pass) ) {

        echo "Fill out all the fields!";
    } else {

        $check = mysqli_query($conn, "SELECT * FROM users where u_email = '$u_email' AND u_name = '$u_name'");

        $row = mysqli_fetch_array($check);

        if ($row["u_email"] == $u_email || $row["u_name"] == $u_name) {

            echo "Username already exists!";

            header('Location: register.php?err=true');
        } else {

        $encrypt_pass = $u_pass;

        // Must be exact 32 chars (256 bit)
        $password = substr(hash('sha256', $password, true), 0, 32);

        // IV must be exact 16 chars (128 bit)
        $iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);

        $encrypted = base64_encode(openssl_encrypt($encrypt_pass, $method, $password, OPENSSL_RAW_DATA, $iv));

        $insert = mysqli_query($conn,"INSERT INTO `users` (`u_name`, `u_email`, `u_pass`) VALUES ('$u_name', '$u_email', '$encrypted')");   


        header('Location: profile.php');
    }
    }
}

?>

<?php if (isset($_GET['err1'])) { ?>
    <div class="alert">
        <p>Login Failed! That username or email already exists! Do you wanto to go to the login page? <a href="login.php">Login</a>.</p>
    </div><?php } ?>

<?php if (isset($_GET['err2'])) { ?>
    <div class="alert">
        <p>Login Failed! That username or email already exists! Do you wanto to go to the login page? <a href="login.php">Login</a>.</p>
    </div><?php } ?>

<form action="register.php" method="post">
    <label>Name</label>
    <input type="text" name="u_name" value="" ></input><br />
    <label>Email</label>
    <input type="email" name="u_email" value="" ></input><br />
    <label>Password</label>
    <input type="password" name="u_pass" value="" ></input><br />
    <input type="submit" name="u_btn" value="Sing Up"></input>
    <input type="button" onclick="window.location='login.php';" value="Login"></input>
</form>

The problem its that if I put the email and name that I have in the database, the code works, but if I put only the name or email, doesn't check if it already exists.

Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jan 05 '18 at 20:22
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jan 05 '18 at 20:23

score 0 · Accepted Answer · edited Jan 05 '18 at 20:26

0

Change:

$check = mysqli_query($conn, "SELECT * FROM users where u_email = '$u_email' AND u_name = '$u_name'");

To

$check = mysqli_query($conn, "SELECT * FROM users where u_email = '$u_email' OR u_name = '$u_name'");

So you get everything matching and check each entry

edited Jan 05 '18 at 20:26

Jay Blanchard

34,243
16
77
119

answered Jan 05 '18 at 20:26

Eddi

48
5

Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jan 05 '18 at 20:27

Error trying to check if user exists in the database PHP

1 Answers1