-1

Anyone can view my PHP code? How to fix my data redundancy in my PHP to mysql? I dont wish to store the same data to my database. thankyou

<?php

    $email = "";
    $passwords   = "";
    $firstname   = "";
    $lastname   = "";
    $errors = array(); 

    $db = mysqli_connect('localhost', 'root', '', 'wdt_assignment');


    if (isset($_POST['email'])) {
 
    $email = mysqli_real_escape_string($db, $_POST['email']);
    $password = mysqli_real_escape_string($db, $_POST['password']);
    $firstname = mysqli_real_escape_string($db, $_POST['firstname']);
    $lastname = mysqli_real_escape_string($db, $_POST['lastname']);

    if (empty($email)) { array_push($errors, "email is required"); }
    if (empty($password)) { array_push($errors, "password is required"); }
    if (empty($firstname)) { array_push($errors, "firstname is required"); }
    if (empty($lastname)) { array_push($errors, "lastname is required"); }
    }


    $user_check_query = "SELECT * FROM customer WHERE email='$Email' OR password='$Password' LIMIT 1";
    $result = mysqli_query($db, $user_check_query);
    $user = mysqli_fetch_assoc($result);

    if ($user) { // if user exists
    if ($user['email'] === $Email) {
      array_push($errors, "email already exists");
    }

    if ($user['password'] === $Password) {
      array_push($errors, "password already exists");
    }
  }
    if (count($errors) == 0) {
 
      $query = "INSERT INTO customer (email, password, firstname, lastname) 
                VALUES('$email', '$password', '$firstname','$lastname')";
      mysqli_query($db, $query);
      $_SESSION['email'] = $email;
      $_SESSION['success'] = "You are now logged in";
  }
?>
Barmar
  • 741,623
  • 53
  • 500
  • 612
Alex Chong01
  • 13
  • 4
  • Your code has security issues. For one, you're open to SQL injection. Prepared statements are the way to [prevent it](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php), because escaping is [not safe enough](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). – El_Vanja Mar 24 '21 at 10:31
  • Also, it seems you are storing passwords in plain text. You should avoid that at all costs. PHP has [built-in hashing functions](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) that are safe against many different types of attacks and are not complicated to use. – El_Vanja Mar 24 '21 at 10:32
  • Ultimately, have a look at [How to prevent duplicate usernames when people register?](https://stackoverflow.com/a/66285030/4205384) for some good practices on building this kind of functionality. – El_Vanja Mar 24 '21 at 12:27

1 Answers1

0

I recommend you not to tell the user that this password exist in database already. I am attaching the code to check whether the email exist or not.

<?php

$email = "";
$passwords   = "";
$firstname   = "";
$lastname   = "";

$errors = array();

$db = mysqli_connect('localhost', 'root', '', 'wdt_assignment');

if (isset($_POST['email']))
{
    $email = mysqli_real_escape_string($db, $_POST['email']);
    $password = mysqli_real_escape_string($db, $_POST['password']);
    $firstname = mysqli_real_escape_string($db, $_POST['firstname']);
    $lastname = mysqli_real_escape_string($db, $_POST['lastname']);

    if (empty($email)) { array_push($errors, "email is required"); }
    if (empty($password)) { array_push($errors, "password is required"); }
    if (empty($firstname)) { array_push($errors, "firstname is required"); }
    if (empty($lastname)) { array_push($errors, "lastname is required"); }

    if (count($errors) == 0)
    {
        $user_check_query = "SELECT * FROM customer WHERE email='$Email' OR password='$Password' LIMIT 1";
        $result = mysqli_query($db, $user_check_query);
        $affected_rows = mysqli_affected_rows($db);

        if ($affected_rows > 0)
        {
            array_push($errors, "email already exists");
        }
        else
        {
            $query = "INSERT INTO customer (email, password, firstname, lastname) 
            VALUES('$email', '$password', '$firstname','$lastname')";
            mysqli_query($db, $query);
            $_SESSION['email'] = $email;
            $_SESSION['success'] = "You are now logged in";
        }
    }
}
?>
John Doe
  • 1,401
  • 1
  • 3
  • 14
  • Hi, thank you mate, but the error does not show "email already exists" when i entered exists email. – Alex Chong01 Mar 24 '21 at 05:13
  • The logic behind this makes for bad user experience. You tell the user that the e-mail exists in the case where it doesn't, but someone uses the same password. – El_Vanja Mar 24 '21 at 10:28
  • You should redirect the user to show whether the email exist or not – John Doe Mar 24 '21 at 11:11