-1

"undone" OR "error" RETURNS. BUT "done" DOESN'T RETURN. When mail adress exists 'undone' returns, inserting new user to database works but 'done' doesn't return. I wanna see "undone" from $data["status"] return when user is inserted. How can i fix?

js

$(document).ready(function(){
   $("#form").submit(function(){
     $.ajax({
       url: "file.php",
       type: "POST",
       dataType: "json",
       data: $('#form').serialize(),
       success: function(data){
         alert(data.status);
       }
     })
   })
 })

file.php

<?php
   session_start();
   if (isset($_POST['submit'])){

     include 'config.php';
     $data = array();
     $name = $conn -> real_escape_string($_POST['username']);
     $mail = $conn -> real_escape_string($_POST['mail']);
     $psw = $conn -> real_escape_string($_POST['password']);
     $code = $conn -> real_escape_string(uniqid());
 
 
 
     $qry = $conn->query("SELECT * FROM member WHERE mail='{$mail}'");
     if (mysqli_num_rows($qry)>0) {
       $data["status"] = "undone";
     }else {
       $qry2 = $conn->prepare("INSERT INTO member (name, mail, psw, code) VALUES ('{$name}','{$mail}','{$psw}','{$code}')");
       if($qry2){
         $qry2->execute();
         $_SESSION['SESSION_MAILADDRESS'] = $mail;
         $data["status"] = "done";
 
         mysqli_free_result($qry2);
       }else {
         $data["status"] = "error";
       }
     }
     echo json_encode($data);
     mysqli_free_result($qry);
     $conn->close();
   }
  ?>
ADyson
  • 57,178
  • 14
  • 51
  • 63
sedric alonso
  • 13
  • 1
  • What have you tried to resolve the problem? Also, be warned that your queries are widely open for SQL injection. Have a look at prepared statements to avoid getting hacked – Nico Haase Sep 22 '22 at 15:59
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use prepared statements **and parameters** to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. real_escape_string does not cover all vulnerabilities. – ADyson Sep 22 '22 at 16:00
  • 1
    https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Sep 22 '22 at 16:00
  • 1
    Also, please don't store passwords in plain text - that is another security risk. Learn about [password hashing](https://www.php.net/manual/en/faq.passwords.php) instead. See also [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) – ADyson Sep 22 '22 at 16:00
  • And add `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` before your `mysqli_connect()` (or `new mysqli()`) command, and this will ensure that errors with your SQL queries are reported correctly to PHP automatically. – ADyson Sep 22 '22 at 16:02
  • `'done' doesn't return`...what happens instead? Is there anything in the alert? Or does the alert not happen? Have you checked your browser's Console and Network tools for errors? – ADyson Sep 22 '22 at 16:02
  • @ADyson Yes alert doesn’t happen but insert query works. I checked console but there ain’t a warning. By the way thank you so much for your advices, I’ll apply them. – sedric alonso Sep 23 '22 at 00:49
  • 1
    So if there's nothing in the Console, what about your Network tool in the browser? Run your code with the tool open. Then, find the AJAX request to file.php . Click on it to open it. Have a look at it - what is the HTTP response code received back from the server? What content is in the Response tab? We could do with understanding what the PHP is actually doing. – ADyson Sep 23 '22 at 09:06
  • @ADyson I removed "mysqli_free_result($qry2)" in the if block and it worked, so wierd :D – sedric alonso Sep 23 '22 at 12:11
  • Ah yes, well spotted. But it's not that weird actually. As per https://www.php.net/manual/en/mysqli-result.free.php you're supposed to pass in a mysqli result object to that function, but now I look closely, you passed it a mysqli statement object. So that should cause a crash. I expect your AJAX call returned a 500 (internal server error) status and an error message which ought to be visible from the browser's Network tool as I described. Using the mysqli_free_result command makes no sense in this context, because you don't have a result to free - a INSERT query does not generate a result set – ADyson Sep 23 '22 at 12:37

1 Answers1

0

You need to remove

mysqli_free_result($qry2);

from your code.

As per https://php.net/manual/en/mysqli-result.free.php you're supposed to pass in a mysqli result object to that function, but now I look closely, you passed it a mysqli statement object. So that should cause a crash. I expect your AJAX call returned a 500 (internal server error) status and an error message which ought to be visible from the browser's Network tool as I described.

In any case using the mysqli_free_result command makes no sense in this context, because you don't have a result to free - a INSERT query does not generate a result set.

ADyson
  • 57,178
  • 14
  • 51
  • 63