mysql query in php always returning false

I am simply trying to call a table and check if the user inputted username maches any in the table, however I am always geting the 'your new here' response. If I put single quotes around $UserName then it will always return true instead.

<html>
<head>
<title>Welcome</title>
</head>
 <body>
 <h1>DunGen</h1>
 <?php 
  $email = $_POST["email"];
  $name = $_POST["name"];

  require_once('config.inc.php');
  $mysqli = new mysqli($database_host, $database_user, $database_pass, $database_name);
  if($mysqli -> connect_error) {
    die('Connect Error ('.$mysqli -> connect_errno.') '.$mysqli -> connect_error);
  }

if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))
{
  echo "Welcome back ",$name, "<br>";
}
else
{
echo "Hello ",$name, " you're new here ain't yah? <br>";
$sql = "INSERT INTO UserDetails (UserName, UserEmail) VALUES ('$name','$email')'";
}

if (filter_var($email, FILTER_VALIDATE_EMAIL))
{
    echo " Email adress: ", $email;
}
  else
{
    echo "Invalid Email";
}
  echo "<br>";
 //copied from w3 schools
$conn->close();
?>

</body>
<html>

fixed edit: following the advice given I replaced the if statement with these two lines:

  $result = mysqli_query($mysqli,"SELECT * FROM UserDetails WHERE   UserName='$name'");
 if($result ->num_rows == 0)

simply put I was evaluating weather I had correct SQL, not weather or not it was returning correctly.

Answers


  1. You are vulnerable to sql injection attacks.
  2. Your query is invalid:
[..snip..]* FROM UserDetails WHERE UserName=$name"))
                                            ^^^^^^

You're generating the literal query

SELECT ... WHERE UserName=Fred

and since your table is HIGHLY unlikely to have a field named Fred, you're getting a query syntax error. And since your error handling is incorrect, you never see the error message that MySQL is trying to show you.

A query which return no rows is NOT an error condition. It's a perfectly valid query, and a perfectly valid result set, which just happens to contain no rows.

Your logic should be

$sql = "....";
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
if($result->num_rows == 0) {
   ... user does not exist ...
} else {
   ... user does exist ...
}

You should definitely use prepared statement functions.

But your current current issue is you missing any kind of fetch function.

So you check :

if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))

But it will return true just if your statement is correct and can be executed by mysql. The positive result does not mean you did find a user.

To check that you should fetch the result. So you can:

if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))
{
   if ($row = $result->fetch_array(MYSQLI_ASSOC)) {
     echo "Welcome back ",$row['UserName'], "<br>";
   } else {
     echo "Wrong credentials";
   }
}

UPDATE here is how you can rewrite your code using prepared statement practice:

$stmt = $mysqli->prepare('SELECT UserName FROM UserDetails WHERE UserName= ?');
$stmt->bind_param('s', $name);
if($stmt->execute())
{
   $stmt->bind_result($sqlName);
   if ($stmt->fetch()) {
     echo "Welcome back ",$sqlName, "<br>";
   } else {
     echo "Wrong credentials";
   }
}

Need Your Help

ARC, non-ARC, and inheritance

objective-c ios automatic-ref-counting

I haven't used ARC yet other than to deal with it when it forces it's way into a project via 3rd party code. I've read all the ARC docs but haven't seen an answer to this question: