-4

I'm writing a code for a simple registration system. I have this part where I check if the username or email already exist. If this is the case, it should show an error message, but it doesn't work. If the username or email exist, the registration form is submitted anyway.

This is my code

Registration.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <link rel="shortcut icon" href="favicon.png" type="image/x-icon"/>
  <link rel="icon" type="image/png" href="favicon.png" />
  <title>Registro</title>
</head>

<body>      
  <?php
  if(isset($_POST['submit'])){
    $mysqli = NEW 
    MySQLi('localhost','user','pass','database');
                        $username     =    $_POST['username'];
                        $name         = $_POST['name'];
                        $pass=          $_POST['pass'];
                        $email=         $_POST['email'];
                        $phone=      $_POST['phone'];

                        $querya=mysqli_query($mysqli,"select * from table where username='$username' && email='$email'");
                        $num_rowss=mysqli_num_rows($querya);

                        if ($num_rowss>0){
                            echo "Username or password is taken, please write a new one."
                        }else{


                        $query = "INSERT INTO table(username,name,pass,email,phone)VALUES('"
                        . $mysqli->real_escape_string($username) .
                        "' , '"
                        . $mysqli->real_escape_string($name) .
                        "' , '"
                        . $mysqli->real_escape_string($pass) .
                        "' , '"
                        . $mysqli->real_escape_string($email) .
                        "' , '"
                        . $mysqli->real_escape_string($phone) .
                        "')
                        ";

                        $insert = $mysqli->query($query);


                        if($insert){
                            header('Location: login.php');

                        }

                        }


                    $mysqli->close();   

}
?>

  <div>
            <h1>Register</h1>
            <form action="" method="post" name="registro" id="formulario"><br><br>
                <table>
                    <tr><td>Username: <input type="text" name="username" id="username" required></td> 
                    </tr>
                    <tr><td>Name:<input type="text" name="name" id="name" required></td> 
                    </tr>
                    <tr><td>Password: <input type="password" name="pass" required></td> 
                    </tr>
                    <tr><td>Email: <input type="email" name="email" required></td> 
                    </tr>
                    <tr><td>Phone: <input type="text" name="phone" required></td> 
                    </tr>
                    <tr><td> <input name="submit" id="submit" type="submit" value="Registrar" /></td></tr>
                </table><br><br>
            </form>
            </div>

    </body>

He_slp13
  • 67
  • 5
  • Err... don't you mean "or"? ~Kronk – Niet the Dark Absol Jan 19 '18 at 18:16
  • Also, ``ALTER TABLE `table` ADD UNIQUE KEY (`username`), ADD UNIQUE KEY (`email`)`` should help. – Niet the Dark Absol Jan 19 '18 at 18:17
  • plain text passwords, *just wow*. This is an exercise, right? not meant to go live, right? – Funk Forty Niner Jan 19 '18 at 18:26
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 19 '18 at 18:27
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 19 '18 at 18:27
  • Why should duplicate passwords be a problem? Why? – Jay Blanchard Jan 19 '18 at 18:27
  • even with the `OR` operator to (most likely) fix this, it's still a bad design. – Funk Forty Niner Jan 19 '18 at 18:28

2 Answers2

0

A couple things:

  1. Concern on SQL Injection - Use Parameters
  2. It should be OR, NOT &&. You want to know if the username or e-mail is found.
  3. You should have some way to handle errors also.

Your query should read as the following:

 $querya=mysqli_query($mysqli,"select * from table where username='$username' OR email='$email'");
 $num_rowss=mysqli_num_rows($querya);
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ctznkane525
  • 7,297
  • 3
  • 16
  • 40
0

Try this. it works for me sorry if not!

 $querya = "SELECT username, email FROM table WHERE username = '".$name."' OR email = '".$email."'";
        $result = $mysqli->query($sql);

        if(mysqli_num_rows($result) > 0)
        {
            echo 'Username or password is taken, please write a new one.';
        }
        else
        {
Bradley Coupland
  • 81
  • 12
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jan 19 '18 at 18:26
  • Do or do not, there is no "try". A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Jan 19 '18 at 18:28
  • I tested his code. Didn't work. I tested the same code with that implementation works perfectly. I appreciate it but i posted what worked for me and hoped it worked for him too! – Bradley Coupland Jan 19 '18 at 18:29
  • `OR 'email'` if you say that that worked, then I obviously am not at the right bar. – Funk Forty Niner Jan 19 '18 at 18:29