2

Ok so the problem is... i m a newbie and i m trying to understand what is happening.Im sending through an html form this data(name,email) using POST in a database.I understand the logic behind it all but what basically happens is that everytime I enter a name,any name,it echoes the else statement:"there is already a user with that name". and it sends back the first name in the database.when there s nothing,it sends nothing. So here's the chunk:

 $query= "SELECT* from users where username='".$_POST['name']."'";
        $result = mysql_query($query);
        if (!$result){


        $query = "INSERT into users (username, email, password) values
        ('".$_POST["name"]."', '".$_POST["email"]."',  
        '".$passwords[0]."')";
        $result = mysql_query($query);

        if ($result){
            echo "It's entered!";
        } else {
            echo "There's been a problem: ".mysql_error();
        }
     } else {

         echo "There is already a user with that name: <br />";
        $sqlAll = "select * from users";
         $resultsAll = mysql_query($sqlAll);
         $row = mysql_fetch_array($resultsAll);
           while ($row) {

              echo $row["username"]." -- ".$row["email"]."<br />";

           $row = mysql_fetch_array($result);
Improve this question
11
  • 4
    Jesus christ ANOTHER SQL injection vulnerability. Where do they all come from...!?!?!?!?!?!?!?!?!?!?!?! Commented Apr 3, 2011 at 20:36
  • i followed that tutorial from the IBM website.it s a learning tutorial.man,i m just learning about injection.i wouldn t use that on a real site.I m learning! Commented Apr 3, 2011 at 20:52
  • 2
    @seb: Can you provide a link please? I will write to IBM and ask them to stop promoting this nonsense. Commented Apr 3, 2011 at 20:54
  • ibm.com/developerworks/opensource/tutorials/os-phptut1/… Commented Apr 3, 2011 at 20:57
  • 1
    @seb: Online tutorials are usually rubbish. Get yourself a good book instead! (BTW, Stack Overflow is not a "board".) Commented Apr 3, 2011 at 21:20

5 Answers 5

Reset to default
2

You may want to check mysql_num_rows() rather than checking for !$result, I think that if the query is sucsesfull you'll get a resource back, even though it contains zero rows.

You may also want to read up on: http://php.net/manual/en/security.database.sql-injection.php

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If $result == false then mysql will throw an error with mysql_num_rows() expected the parameter to be resource but boolean given.
2

ESCAPEEEEE

Firstly, you need to learn about escaping. Have you never heard of little Johnny DROP TABLES?

http://xkcd.com/327/

Serious business

The reason why it always returns, is because the response in $result is actually a resource data type. And that will always when cast as a boolean be true. (And since your query shouldn't fail).

You should fetch the result. For example. (This isn't the best way, but it is a way to do it).

mysql_fetch_row(result)
Improve this answer

Comments

1

Per the manual, mysql_query will return false when there is an error - "For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error."

Improve this answer

Comments

1

see no violation in your code. first mysql_query executes with no error and always returns true. try to test returned rows count like this:

if (mysql_num_rows($result) == 0) {
//insert record
} else {
// show alreay exists
}
Improve this answer

Comments

0

First of all, you are testing for:

if (!$result)

which will evaluate to true only if the query fails.

You should also sanitize all input before using it in SQL queries.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.