0

No results when trying to insert new register by checking if username is not exist already. I've tried to insert the query also with msql and not msqli - didn't work also. can anyone describe what i have done wrong ?

this is my code:

<?php

if (isset($_POST["submit"])) {
    if (!empty($_POST['user']) && !empty($_POST['pass'])) {
        $user = $_POST['user'];
        $pass = $_POST['pass'];
        $con = mysqli_connect("xxxxxxx", "xxxx", "xxxx", "xxxxx") or die(mysqli_error());
        mysqli_select_db($con, 'xxxxxx') or die("cannot select DB");
        mysqli_set_charset($con, 'utf8');

        if ($result = mysqli_query($con, "SELECT * FROM login WHERE username='" . $user . "'")) {
            $row_cnt = mysqli_num_rows($result);
            if ($row_cnt == 0) {
                $sql = "INSERT INTO login(username,password)VALUES('$user','$pass')";
                $query = mysqli_query($con, $sql);
                if ($query) {
                    echo "Account Successfully Created";
                } else {
                    echo "Failure!";
                }
            } else {
                echo "That username already exists! Please try again with another.";
            }

            /* close result set */
            //mysqli_free_result($result);          
        }
    } else {
        echo "All fields are required!";
    }
}
?>
ʰᵈˑ
  • 11,279
  • 3
  • 26
  • 49
user2992836
  • 1
  • 1
  • Well what does it echo? And do you get any warnings /errors? Did you try to echo your $query and run it in the phpmyadmin? – Naruto Sep 30 '14 at 13:33
  • At the very least, you need some error checking. `echo 'Failure! ' . mysqli_error($con);` – Michael Berkowski Sep 30 '14 at 13:34
  • 1
    Also, please review [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). While you are using MySQLi, you are not getting the security benefit provided by `prepare()/execute()` with placeholders. Your script is currently vulnerable to injection attacks. – Michael Berkowski Sep 30 '14 at 13:35
  • In addtion to the SQL injection; it is bad practice to store passwords as plain text, especially if you let your users choose there passwords. Use a hash and a random salt. – Stefan Sep 30 '14 at 13:47
  • it's echo nothing , no warning or errors, i've tried like you said to run the query directly in phpmyAdmin - new record have been created. tried also to add the . mysqli_error($con); - cant see anything.. the page just reload himself and no recoreds insert to db.. if i try to register by an exists name i'm getting the echo of "That username already exists! Please try again with another. – user2992836 Sep 30 '14 at 14:05
  • I add an if statement to check: if (!mysqli_query($con, $query)) { die ('error inserting new records
    ' . mysqli_error($con)); } and manage to see mysqli_error($con); this is what i get: 1.error inserting new records --> (no insert data..) 2.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 any suggestions ? p.s- i'll handle the security later... thanks..     – user2992836 Oct 01 '14 at 06:34

0 Answers0