-1

I have a page where theres a button, when I click the button a Modal shows up, which contains a form for adding a new user.

in the user table, username + email + userid are primary keys. So I need to validate first that they don't exist in the table.

Now inserting works just fine. also when I insert an already existing username/userid/email it doesn't get added. However, the alert doesn't show. so the user won't know why it wasn't added

try
{
  if(isset($_POST['submit']))
  {
        if($_POST['submit'] == 'إضافة'){

            $user_name = $_POST['user_name'];
            $name = $_POST['name'];
            $email = $_POST['email'];
            $password = $_POST['password'];
            $role = $_POST['role'];
            $userid = $_POST['userid'];


//check to see if username/email/userid already exists
    //Check username
$stmt1 = $conn->prepare("SELECT * FROM users WHERE username='$user_name'");
    //Check email
$stmt2 = $conn->prepare("SELECT * FROM users WHERE E-mail='$email'");
    //Check userid
$stmt3 = $conn->prepare("SELECT * FROM users WHERE id=$userid");
$stmt1->execute();
$stmt2->execute();
$stmt3->execute();


if (mysqli_num_rows($stmt1)>0)
{ 
    $name_error = "username already exists";
    die();
}
else if (mysqli_num_rows($stmt2)>0)
{
    $name_error = "email already exists";
    die();

}
else if (mysqli_num_rows($stmt3)>0)
{
    $name_error = "employee id already exists";
    die();

}
//if username/email/userid don't exist, proceed with the insert query. 
else
{
    $stmt = $conn->prepare("INSERT INTO `user` (`id`, `username`, `name`, `E-mail`, `Password`, `Role`, `User_Id`) VALUES (NULL, '$username', '$Name', '$email', '$password', '$role', $userid)");
    $stmt->execute();

    $lastIntertedId = $conn->lastInsertId();
}

I added the following to the text fields, so the error shows beneath them.

<!-- Add User Modal -->
<div id="addUserModal" class="modal fade">
    <div class="modal-dialog">
        <div class="modal-content">
            <form method="POST" action="user_managment.php" >
                <div class="modal-header">                      
                    <h4 class="modal-title">إضافة مستخدم </h4>
                    <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
                </div>
                <div class="modal-body">                    
                    <div class="form-group">
                        <label>اسم المستخدم</label>
                        <input name="user_name" type="text" class="form-control" required>
                        <?php if(isset($name_error)): ?>
                            <span><?php echo $name_error;?></span>
                            <?php endif ?>
                    </div>
                    <div class="form-group">
                        <label>الاسم</label>
                        <input name="name" type="text" class="form-control" required>
                    </div>
                    <div class="form-group">
                        <label>الرقم الوظيفي</label>
                        <input name="userid" type="number" class="form-control" required>
                        <?php if(isset($name_error)): ?>
                            <span><?php echo $name_error;?></span>
                            <?php endif ?>
                    </div>
                    <div class="form-group">
                        <label>دور المستخدم </label>
                        <select name="role" class="form-control" id="sel1">
                            <option value="admin">مشرف</option>
                            <option value="employee">مدخل بيانات</option>
                        </select>
                    </div>
                    <div class="form-group">
                        <label>البريد الالكتروني</label>
                        <input name="email" type="email" class="form-control" required>
                        <?php if(isset($name_error)): ?>
                            <span><?php echo $name_error;?></span>
                            <?php endif ?>
                    </div>
                    <div class="form-group">
                        <label>الرقم السري</label>
                        <input name="password" type="password" class="form-control" required>
                    </div>
                </div>
                <div class="modal-footer" >
                    <input name="submit" type="submit" class="btn btn-success" value="إضافة">
                    <input type="button" class="btn btn-default" data-dismiss="modal" value="إلغاء">
                    
                </div>
            </form>
        </div>
    </div>
</div>
Khuzama
  • 41
  • 6
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 28 '20 at 14:10
  • `die()` exits the script, so you never execute the code with `echo $name_error;` – Barmar Aug 28 '20 at 14:37
  • @Barmar I removed die(), still doesn't work. – Khuzama Aug 28 '20 at 23:46

1 Answers1

0

Isn't your UserId a generated value in your DB's schema ? If i understand correctly what you are trying to achieve, you shouldn't be able to know if your user_id already exist since you shouldn't have a user_id at the moment you are trying to execute your form.

Here's how i understand your page: You have a page, on this page there's a modal to add new user, in this page you verify if there's already an existing user with the same Email | Username | Id, but my issue is that you can't know the user_id of a user that hasn't been created yet, and also you shouldn't validate a duplicate based on an auto-generated value by your DB (imo)

I hope my message is understandable, what i want to say is that you can't verify the existence of something that hasn't been created yet.

tournier
  • 1
  • 1
  • Thank you for answering. ' user_id' is actually inserted by the user. I have another column in my table named 'id, which is automatically generated. – Khuzama Aug 28 '20 at 23:42
  • 1
    Alright i understand it a bit more then. Did you try to debug you code by using some dump & die along the way of the execution of your code ? Also you should optimize your select, you don't need 3 separate requests for 3 fields that are related to the same user, you can use the condition OR or AND to expand your SQL query and make it verify that neither of those 3 fields already exists before inserting your new User. – tournier Aug 31 '20 at 09:33