0

I am trying to do a check on my database table.

It checks if, for a provided username, there exists an email address or password. In the event that either of them are present in the database for the provided username, the user is shown an error message and records are not altered.

Problem: However, for some reason my check only works if both, the password and email is present for the record (it does not display the error message if the email address is empty but password is not). Below is my code:

require ('core/dbcon.php');
$user = mysqli_real_escape_string($con, $_GET['user']);
$acc_status = mysqli_real_escape_string($con, $_GET['status']);
if(empty($_POST['form']) === false){
    $usr_email = mysqli_real_escape_string($con, $_POST['email']);
    $pwd = mysqli_real_escape_string($con, $_POST['password']);
    $rpwd = mysqli_real_escape_string($con, $_POST['rpwd']);
    $qry = mysqli_query($con, "SELECT * FROM users WHERE email='$usr_email'") or die(mysqli_error($con));
    $usr_details = mysqli_fetch_assoc($qry);
    if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){
        if(mysqli_num_rows($qry) == 0){
            if($pwd && $rpwd && $usr_email){
                if($pwd === $rpwd){
                    $pwd = md5($pwd);

                       $query = mysqli_query($con, "SELECT * FROM users WHERE username='$user' AND email='$usr_email'") or die(mysqli_error($con));
                       if (mysqli_num_rows($query)== 1){
                           //update database table
                       }else{
                            $errors[] = 'Error! Your details were not added to the system due to a technical error. Please contact the Admin.';
                        }           
                    }else{
                        $errors[] = 'Please make sure that the password entered in both fields are the same.';
                    }
                }else{
                    $errors[] = 'Please complete all fields marked with a red asterisk';
                }
            }else{
                $errors[] = 'Error! <b>'.$usr_email.'</b> already existis in our system.';
            }
        }else{
            $errors[] = 'Error! It looks like the username you have entered has been assigned an email address and password already.';
        }
    }

I have a record with username 'testuser', email '[email protected]', and password 'password'. My check works fine as it stands, it displays the error "Error! It looks like the username you have entered has been assigned an email address and password already." However, when I delete the email address form the database it somehow assumes the following conditions have been met: if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){ when empty($usr_details['password'])===false.

I have tried changing the logical operator from && to || but I get the same issue (as OR should accept one empty and one non-empty variable in the first place). Your assistance will be greatly appreciated.

Improve this question
2
  • You are using a user email ($usr_email) to query user details ($usr_details), so how can you get $usr_details when an email was deleted? By the way you have some serious security issues in your code. Commented Jul 3, 2015 at 22:42
  • I am searching the user table to find if ($usr_email) exists already. If it doesn't the system will allow the user to add it. So deleting the email address should still work. I have only posted a segment of my code. I have checks to mitigate security risks. However, I didnt feel they were relevant to the question. Commented Jul 4, 2015 at 8:18

2 Answers 2

Reset to default
1

Instead of :

if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){

Try this :

if($usr_details['email'] === NULL || $usr_details['password'] === NULL){

For empty database value, NULL is better.

Edit:

Your query will return empty cause you check $usr_details['email'] only, which is not found in database. So condition will be meet.

If you want to get this properly try to query with username or unique id

$qry = mysqli_query($con,"select * from user where id=1");

or 

$qry = mysqli_query($con,"select * from user where username='username'");

or alternatively you should check both username and password in query:

$qry = mysqli_query($con,"select * from user where email='email' OR password='password'");
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

For some reason the NULL check does not work for me. I had to revert back to 'empty' check.
empty or null both return same. But $var ="" is empty, not null. So, i have suggested you to use this. however, your query if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){ This query will return empty result. Cause you just check the email
0

I just found that the issue lied with my query as hinted by Lukas Hajdu:

$qry_email = mysqli_query($con, "SELECT email FROM users WHERE email='$usr_email'") or die(mysqli_error($con));

For some reason it only did the if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){ check only if the email address existed in the database already.

To resolve this I had to form another query:

$qry_user = mysqli_query($con, "SELECT * FROM users WHERE username='$user'") or die(mysqli_error($con));
$usr_details = mysqli_fetch_assoc($qry_user);

I don't know why this is the case and how I could improve my code. So please feel free to provide suggestions :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.