0

I have an "Empty Database" of users.

The first thing I want to do with my code if check if user id exist, before creating them an user ID.

I am getting following error: Trying to get property 'num_rows' of non-object

I have taken my query and submitted it on mysql and return nothing.

My HTML submit form:

<form action="index.php" method="post" autocomplete="off">
<input type="text" name="username" placeholder="Username" />
<input type="password" name="password" placeholder="Password" />
<input type="submit" value="Login" />
</form>

I am testing if user name exist.

$query=("SELECT count(*) FROM users WHERE user_name = ?,[$username]");
$result = mysqli_query($conn, $query);

if ($result)
    {
        $result = mysqli_fetch_all($result,MYSQLI_ASSOC);
        return $result;
    } else {
        return mysqli_affected_rows($conn);
    }

After the test, it will submit my query to create user account.

user8776656
  • 103
  • 7
  • Possible duplicate of [check if row exists with mysql](https://stackoverflow.com/questions/22252904/check-if-row-exists-with-mysql) – Nick Feb 05 '19 at 03:32
  • Can you add code where you are fetching `num_rows` as an object and getting this error: `Trying to get property 'num_rows' of non-object` – Ankur Tiwari Feb 05 '19 at 03:42
  • 1
    That query is not valid syntax. – tadman Feb 05 '19 at 03:47
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Feb 05 '19 at 03:51

1 Answers1

1

Re-written to use the correct syntax it looks like this:

$stmt = $conn->prepare("SELECT count(*) FROM users WHERE user_name = ?");
$stmt->bind_param('s', $username);

$result = $stmt->execute();

if ($result)
{
    return $result->fetch_assoc();
} else {
    return $conn->num_rows;
}

That being said, hopefully this is an academic exercise because writing your own login system for production use is extremely dangerous. Use a framework with a built-in security layer as an application foundation.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • I assume you are saying this because people use old guides which show really outdated code and/or do not follow the procedure that is required to make your login safe (prone to sql injection etc..)? If not I would be really interested if you happen do have some information about why building your own login system is extremely dangerous. – Chris Feb 05 '19 at 06:23
  • 1
    @Chris I'm saying this because the number of threats today is way higher because there's automated tools to probe and exploit sites that can be used by unsophisticated attackers. A lot of this code floating about dates from the 1990s when the threats were far fewer and less sophisticated. The [number of threats](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series) you have to defend against is huge, doing that all yourself is basically impossible. Using a pre-existing, **tested and supported** authentication system is critical. – tadman Feb 05 '19 at 16:19
  • 1
    @Chris If you use a popular system (e.g. Laravel) then the chance that your site is the first to fall to a new vulnerability is very low, you have safety in numbers. In most cases you'll get notified about a CVE and have time to patch before you're a target. This is not the case with your self-built system where you are the *first and only target* for any attacks. You only find out after you've been compromised. – tadman Feb 05 '19 at 16:21