-2

I am trying to create a user registration form within php. I am new to writing mysql injection code (not sure if that's what its called) and I come across the following error.

Notice: Trying to get property of non-object on line 92.

I start off my code by checking if each field with the form is empty and if they are I store the error as and array. If the field is not empty they I use $_POST to add the information to a variable.

Here is an example

if (isset($_POST["submit"])) {
$error = array(); 
if(empty($_POST['up_first_name'])) { // if no name has been supplied 
    $error[] = 'Please Enter Your First Name'; // add to array "error"
} else {
    $firstName = $_POST['up_first_name']; // else assign it to a variable
}

}

After this I check to see if the error array is empty and if it is I run a query to check if the email that is entered is already being used.

Here is my code.

if(empty($error)) // send to Database if there's no error
{
    // If everything is ok...

    // Make sure the email address is avilable:

    $query_verify_email = "SELECT * FROM user WHERE Email = ?";
    $stmt = $mysqli->prepare($query_verify_email);
    $stmt->bind_param("s", $email);
    echo $mysqli->error;
    $stmt->execute();

    if(!$query_verify_email) {
        echo 'Database Error Occured';
    }

If the email is not found I then insert the information from the form into my database.

        if ($query_verify_email->num_rows === 0) { // IF no previous user is using this email.
            $query_insert_user = "INSERT INTO user (`Title`, `FirstName`, `LastName`, `Email`, `Password`, `DataOfBirth`, `ContactNumber`, `Address`, `Address2`, `Country`, `Postcode`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
            $stmt=$mysqli->prepare($query_insert_user);
            $stmt->bind_param("sssssssssss", $title, $firstName, $lastName, $email, $password, $dateOfBirth, $number, $address, $address2, $country, $postcode);
            echo $mysqli->error;
            $stmt->execute();
 
            if (!$result_insert_user) {

            echo 'Query Failed ';

            }

        } else { // If it did not run OK.
            echo '<div class="errormsgbox">You could not be registered due to a system </div>';

        }

            } else { // The email address is not available.

            echo '<div class="errormsgbox" >That email address has already been registered.</div>';

        }
    }

The line that seems to cause the problem is the following line.

 if ($query_verify_email->num_rows === 0) {

I have no idea why I am getting this error or how to even fix it. Any help would be great.

Rebekah
  • 35
  • 7
  • 4
    `$query_verify_email` is a _string_ value. `$stmt` contains the reference to your actual database statement. – CBroe Mar 08 '21 at 14:49
  • I understand what you mean – Rebekah Mar 08 '21 at 14:52
  • 2
    `$query_verify_email` contains your SQL text. It doesn't contain the result of your query. Most mysqli tutorials would show you how to get the result of your query. There are a couple of examples [here](https://phpdelusions.net/mysqli) for instance. – ADyson Mar 08 '21 at 14:52
  • If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection – Dharman Mar 08 '21 at 15:00

1 Answers1

0

In stead of if ($query_verify_email->num_rows === 0) you have to check by this- ($stmt->num_rows === 0)

Raju Ahmed
  • 366
  • 6
  • 18