I actually have this PHP code, which i use to obtain my database info..
function searchUserEmail($username, $raw_email){
//Prepare Statements
$query = "SELECT * FROM users WHERE username = ?";
$query2 = "SELECT * FROM users WHERE email = ?";
//Sanitize Input
$user = $this->conn->real_escape_string($username);
$email = $this->conn->real_escape_string($raw_email);
if($stmt = $this->conn->prepare($query)){
$stmt->bind_param('s', $user);
$stmt->execute();
if($stmt->num_rows > 0){
$stmt->close();
return true;
}
}
if($stmt = $this->conn->prepare($query2)){
$stmt->bind_param('s', $email);
$stmt->execute();
if($stmt->num_rows > 0){
$stmt->close();
return true;
}
}
return false;
}
I've tried this alot of times, ran it through a statement checker, still it doesn't work. Is there anything i'm missing???
Somehow it always returns a false (Even though its suppose to return true)
mysql_select_db($dataname,$conn);
Related
I am trying to find out if a user exists in my database already, but no matter what I try, I always get the equivalent of a false.
$stmt = $connection->prepare("SELECT * FROM members WHERE member_username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
if($stmt->num_rows > 0) {
return 'user exists';
}
I know this has got to be something very simple... something I am clearly overlooking, but I always get that num_rows = 0, even though the user is in the database already.
Can someone please help?
Call get_result() or store_result() before call num_rows:
$stmt = $connection->prepare("SELECT * FROM members WHERE member_username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$res = $stmt->get_result(); //<--- HERE
if($res->num_rows > 0) { //<--- HERE
return 'user exists';
}
OR
$stmt->execute();
$stmt->store_result(); //<--- HERE
if($stmt->num_rows > 0) {
something in this code doesnt work correctly. So need your help.
I have written a function in an external file:
function userExists($conn, $user){
$sql = "SELECT COUNT(*) FROM user WHERE email = :email";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $user);
$stmt->execute();
$results = $stmt->fetch(PDO::FETCH_ASSOC);
if(count($results) > 0):
return true;
else:
return false;
endif;
}
And i call this function here:
if(!empty($_POST['email']) && !empty($_POST['password'])):
$email = $_POST['email'];
$password = $_POST['password'];
$records = $conn->prepare('SELECT id,username,email,password,active FROM user WHERE email = :email');
$records->bindParam(':email', $_POST['email']);
$records->execute();
$results = $records->fetch(PDO::FETCH_ASSOC);
if(userExists($conn, $email) === false){
echo 'False';
}else{
echo 'True';
}
endif;
But the output is everytime true.. maybe I can't see the wood for the trees.
Thx
Results will be greater than 0 at all times because your query is returning the value 0. So results does contain a value. Rather do this
"SELECT COUNT(*) AS Total FROM user WHERE email = :email";"
if($result['Total'] > 0)
{.....}
I have a interesting problem.
// in pdo with function --> not work
function UserIsExist($name)
{
global $db;
$stmt = $db->prepare("SELECT id FROM tarskereso_users WHERE email = '$name' LIMIT 1");
$stmt->execute();
if ($stmt->fetchColumn() == 1) return 1;
else return 0;
}
// with MySQLi --> not working
function UserIsExist($name)
{
global $db;
$stmt = $db->prepare("SELECT id,email FROM tarskereso_users WHERE email = ? LIMIT 1");
$stmt->bind_param('s', $name);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1)
return 1;
else
return 0;
$stmt->close();
}
// In Register.php
... other ..
if(UserIsExist($user) == 1)
$error_msg = "Is Exist";
else
{
$birthdate = $year.'.'.$month.'.'.$day;
CreateUser($user,$pass,$birthdate,$sex);
$error_msg = 'Success';
}
So, with function not working, I try with:
$stmt = $db->prepare("SELECT id,email FROM tarskereso_users WHERE email = ? LIMIT 1");
$stmt->bind_param('s', $name);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0)
... other ...
else
echo 'isnt exist...';
$stmt->close();
but not working, the num_rows always return 0. And the account in the database successfuly created
in pdo, num_rows won't work.
you have to use $sql->rowCount() method to get number of records in a table.
<?php
$sql = $con->prepare("<YOUR SQL QUERY HERE>");
$sql->execute();
if($sql->rowCount() > 0){
echo $sql->rowCount() ." rows found";
}
?>
I've made a user class which validates the data passed through the form and then subsequently updates the database table users. I want to add extra functionality such as checking if the username and email exists in the table, I've added a little script however it doesn't seem to be working.
I inserted a duplicated email address and I did not get the error message "email exists" instead I get the success message "1 row inserted":
Am I doing something wrong below? Is there perhaps a better way to approach this?
public function insert() {
if (isset($_POST['submit'])) {
$email = isset($_POST['email']) ? $this->mysqli->real_escape_string($_POST['email']) : '';
$result = $this->mysqli->prepare("SELECT * FROM users WHERE email='".$email."'");
if ($result->num_rows) {
echo "email exisits!";
}
else
{
$stmt = $this->mysqli->prepare("INSERT INTO users (username, password, name, email) VALUES (?, ?, ?, ?)");
$stmt->bind_param('ssss', $username, $password, $name, $email); // bind strings to the paramater
//escape the POST data for added protection
$username = isset($_POST['username']) ? $this->mysqli->real_escape_string($_POST['username']) : '';
$cryptedPassword = crypt($_POST['password']);
$password = $this->mysqli->real_escape_string($cryptedPassword);
$name = isset($_POST['name']) ? $this->mysqli->real_escape_string($_POST['name']) : '';
$email = isset($_POST['email']) ? $this->mysqli->real_escape_string($_POST['email']) : '';
/* execute prepared statement */
$stmt->execute();
printf("%d Row inserted.\n", $stmt->affected_rows);
/* close statement and connection */
$stmt->close();
}
You are using the worst API you ever can choose.
With safeMysql it would be
$exists = $this->db->getOne("SELECT 1 FROM users WHERE email=?s", $_POST['email']);
if ($exists) {
echo "email exisits!";
}
With PDO it is slightly longer but usable
$stmt = $this->db->prepare("SELECT 1 FROM users WHERE email=?");
$stmt->execute(array($_POST['email']));
$exists = $stmt->fetchColumn();
if ($exists)
{
echo "email exisits!";
}
But with raw mysqli you will need a screenful of code only to check if user exists.
So, the whole function using safeMysql would be
public function insert()
{
if (!isset($_POST['submit'])) {
return FALSE;
}
$sql = "SELECT 1 FROM users WHERE email=?s";
$exists = $this->db->getOne($sql, $_POST['email']);
if ($exists)
{
echo "email exisits!";
return FALSE;
}
$sql = "INSERT INTO users SET ?u";
$allowed = array('username', 'name', 'email');
$insert = $this->db->filterArray($_POST, $allowed);
$insert['password'] = crypt($_POST['password']);
$this->db->query($sql, $insert);
return $this->db->afectedRows();
}
you need to use this code after prepare statement
$stmt->execute();
$stmt->store_result();
put this
if ($result->num_rows > 0) {
echo "email exisits!";
}
instead of
if ($result->num_rows) {
echo "email exisits!";
}
First, you are using prepare (great!) but then you are just passing in the value of email, effectively defeating the benefit of prepared statements.
Second, you never execute the query, which is why you don't get anything in num_rows.
public function insert() {
$result = $this->mysqli->prepare("SELECT COUNT(*) FROM users WHERE email=?");
$result->bind_param("s", $_POST['email']);
$result->execute();
$result->bind_result($email_count);
if ($email_count) {
echo "email exisits!";
} else {
# your other logic
From what I can see you're not assigning a value to num_rows prior to testing it with if ($result->num_rows), so it will always be 0
Im studying Mysqli at the moment.
But i have a problem about how to return a resultset from a mysqli prepared statement.
I have the following code in Loginclass.php:
$stmt = mysqli_stmt_init($db->getCon());
$stmt->prepare('SELECT * FROM `user` WHERE `user_username` = ? AND `user_password` = ?');
$user_username = $this->_user_name;
$user_password = $this->_password;
$stmt->bind_param('ss', $user_username, $user_password);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows() == 0) {
return false;
}
else {
$this->setPass(true);
return $result;
}
Now i want in login.php to do the following with the returning $result var:
while ($row = $result->fetch_assoc()) {
$_SESSION['login']['user_id'] = $row['user_id'];
}
It's all because of $db->getCon() method name :)
Looks like you don't understand logic of operators - read manual.
Try this code:
//$stmt is object, which can be returned by prepare method
$stmt = $db->prepare('SELECT * FROM `user` WHERE `user_username` = ? AND `user_password` = ?');
$user_username = $this->_user_name;
$user_password = $this->_password;
$stmt->bind_param('ss', $user_username, $user_password);
$stmt->execute();
$stmt->bind_result($result); //instead of $stmt->store_result();
$stmt->fetch();
if (empty($result))
{
return false;
}
else
{
$this->setPass(true);
return $result;
}