I am trying to do a check on my database table.
It checks if, for a provided username, there exists an email address or password. In the event that either of them are present in the database for the provided username, the user is shown an error message and records are not altered.
Problem: However, for some reason my check only works if both, the password and email is present for the record (it does not display the error message if the email address is empty but password is not). Below is my code:
require ('core/dbcon.php');
$user = mysqli_real_escape_string($con, $_GET['user']);
$acc_status = mysqli_real_escape_string($con, $_GET['status']);
if(empty($_POST['form']) === false){
$usr_email = mysqli_real_escape_string($con, $_POST['email']);
$pwd = mysqli_real_escape_string($con, $_POST['password']);
$rpwd = mysqli_real_escape_string($con, $_POST['rpwd']);
$qry = mysqli_query($con, "SELECT * FROM users WHERE email='$usr_email'") or die(mysqli_error($con));
$usr_details = mysqli_fetch_assoc($qry);
if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){
if(mysqli_num_rows($qry) == 0){
if($pwd && $rpwd && $usr_email){
if($pwd === $rpwd){
$pwd = md5($pwd);
$query = mysqli_query($con, "SELECT * FROM users WHERE username='$user' AND email='$usr_email'") or die(mysqli_error($con));
if (mysqli_num_rows($query)== 1){
//update database table
}else{
$errors[] = 'Error! Your details were not added to the system due to a technical error. Please contact the Admin.';
}
}else{
$errors[] = 'Please make sure that the password entered in both fields are the same.';
}
}else{
$errors[] = 'Please complete all fields marked with a red asterisk';
}
}else{
$errors[] = 'Error! <b>'.$usr_email.'</b> already existis in our system.';
}
}else{
$errors[] = 'Error! It looks like the username you have entered has been assigned an email address and password already.';
}
}
I have a record with username 'testuser', email 'test@email.com', and password 'password'. My check works fine as it stands, it displays the error "Error! It looks like the username you have entered has been assigned an email address and password already." However, when I delete the email address form the database it somehow assumes the following conditions have been met: if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){ when empty($usr_details['password'])===false.
I have tried changing the logical operator from && to || but I get the same issue (as OR should accept one empty and one non-empty variable in the first place). Your assistance will be greatly appreciated.
Instead of :
if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){
Try this :
if($usr_details['email'] === NULL || $usr_details['password'] === NULL){
For empty database value, NULL is better.
Edit:
Your query will return empty cause you check $usr_details['email'] only, which is not found in database. So condition will be meet.
If you want to get this properly try to query with username or unique id
$qry = mysqli_query($con,"select * from user where id=1");
or
$qry = mysqli_query($con,"select * from user where username='username'");
or alternatively you should check both username and password in query:
$qry = mysqli_query($con,"select * from user where email='email' OR password='password'");
I just found that the issue lied with my query as hinted by Lukas Hajdu:
$qry_email = mysqli_query($con, "SELECT email FROM users WHERE email='$usr_email'") or die(mysqli_error($con));
For some reason it only did the if(empty($usr_details['email'])=== true && empty($usr_details['password'])=== true){ check only if the email address existed in the database already.
To resolve this I had to form another query:
$qry_user = mysqli_query($con, "SELECT * FROM users WHERE username='$user'") or die(mysqli_error($con));
$usr_details = mysqli_fetch_assoc($qry_user);
I don't know why this is the case and how I could improve my code. So please feel free to provide suggestions :)