-2

Hey I am making a registration form in and this is my code

if (isset($_POST['submit'])) {
    $GST = $_POST['GST'];
    $email = $_POST['email'];
     $contact = $_POST['contact'];
  $whatsapp = $_POST['whatsapp'];
     $adhaar = $_POST['adhaar'];
     $username = $_POST['username'];
     $password = $_POST['password'];
     $pan = $_POST['pan'];
     $district = $_POST['district'];
// Define variables and initialize with empty values



$sql = "SELECT email FROM users WHERE email = '$email'";
$result = mysqli_query($con, $sql);

if (mysqli_num_rows($result) == 1) {
    echo "string";
}else{
    $sql2 = "INSERT INTO users (username, password,email,district,gst,watsapp,adhaar,contact,pan) VALUES ($username, $password,$email,$district,$GST,$whatsapp,$adhaar,$contact,$pan)";

    if (mysqli_query($con, $sql2)) {
   $customername = $_POST['product_name'];
   foreach ($customername as $key => $value) {//start ho rah hai
       $sql = "INSERT INTO center (id) VAlues ('$value')";
       if (mysqli_query($con, $sql)) {
    echo "string";
}
   }// khatam ho rha hai ye 
}else{
 echo "Error: " . $sql . "<br>" . mysqli_error($con);
}

}



}

   ?>

and I am getting this error Error: SELECT email FROM users WHERE email = 'dhruv@gmail.com'

and if I don't use this code

$customername = $_POST['product_name'];
   foreach ($customername as $key => $value) {//start ho rah hai
       $sql = "INSERT INTO center (id) VAlues ('$value')";
       if (mysqli_query($con, $sql)) {
    echo "string";
}

then it is showing no error I am not able to understand whats happening.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
dhruv
  • 1
  • 4
  • You are **wide open** to SQL injection attacks, and **you will be hacked** if you haven't been already. Use paramterized queries to avoid this problem entirely. – Brad Nov 04 '19 at 19:07
  • String literals variables must be quoted in all queries, not including a prepared statement method though. – Funk Forty Niner Nov 04 '19 at 20:47

1 Answers1

-1

With MySQL, string comparison does not work like other code. Basically, you cannot use = to do what you think it does. When that happens, MySQL does something else with it.

Read this manual on string operations in MySQL for further help, but you want to use the keyword LIKE and match exactly on the email address, something like:

WHERE email LIKE '$email'"

You may need to filter the @ using PHP MySQL escape string function found here

Note*

Your code is currently vulnerable to MySQL injection. Taking user input and directly inputting into the DB queries is very dangerous and is a bad practice.

Read up more here on how to prevent it.

Ice76
  • 1,143
  • 8
  • 16
  • and why is that? – Funk Forty Niner Nov 04 '19 at 18:51
  • 1
    This is the part I was talking about, your opening statement/paragraph: *"With MySQL, string comparison does not work like other code. Basically, you cannot use = to do what you think it does."* - That's what I have trouble with. Their present query is valid, being `WHERE email = '$email'";` - So, can you again explain this? On top of that, it doesn't answer / solve the question. Have you not gone over the rest of their code? Look at the duplicate I closed it with. – Funk Forty Niner Nov 04 '19 at 20:43
  • @FunkFortyNiner Your second comment says a lot more than the first. Which is ironic, as (assumingly) you downvoted my answer for not elaborating. Looking more, the query is probably correct, and the problem may be with code that is not shown, like the comment of them initializing empty values. – Ice76 Nov 04 '19 at 22:15