Reputation: 49
mysql query in php always returning false
I am simply trying to call a table and check if the user inputted username maches any in the table, however I am always geting the 'your new here' response. If I put single quotes around $UserName then it will always return true instead.
<html>
<head>
<title>Welcome</title>
</head>
<body>
<h1>DunGen</h1>
<?php
$email = $_POST["email"];
$name = $_POST["name"];
require_once('config.inc.php');
$mysqli = new mysqli($database_host, $database_user, $database_pass, $database_name);
if($mysqli -> connect_error) {
die('Connect Error ('.$mysqli -> connect_errno.') '.$mysqli -> connect_error);
}
if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))
{
echo "Welcome back ",$name, "<br>";
}
else
{
echo "Hello ",$name, " you're new here ain't yah? <br>";
$sql = "INSERT INTO UserDetails (UserName, UserEmail) VALUES ('$name','$email')'";
}
if (filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo " Email adress: ", $email;
}
else
{
echo "Invalid Email";
}
echo "<br>";
//copied from w3 schools
$conn->close();
?>
</body>
<html>
fixed edit: following the advice given I replaced the if statement with these two lines:
$result = mysqli_query($mysqli,"SELECT * FROM UserDetails WHERE UserName='$name'");
if($result ->num_rows == 0)
simply put I was evaluating weather I had correct SQL, not weather or not it was returning correctly.
Upvotes: 1
Views: 1219
Answers (2)
Reputation: 17289
You should definitely use prepared statement functions.
But your current current issue is you missing any kind of fetch function.
So you check :
if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))
But it will return true just if your statement is correct and can be executed by mysql. The positive result does not mean you did find a user.
To check that you should fetch the result. So you can:
if($result = $mysqli -> query("SELECT * FROM UserDetails WHERE UserName=$name"))
{
if ($row = $result->fetch_array(MYSQLI_ASSOC)) {
echo "Welcome back ",$row['UserName'], "<br>";
} else {
echo "Wrong credentials";
}
}
UPDATE here is how you can rewrite your code using prepared statement practice:
$stmt = $mysqli->prepare('SELECT UserName FROM UserDetails WHERE UserName= ?');
$stmt->bind_param('s', $name);
if($stmt->execute())
{
$stmt->bind_result($sqlName);
if ($stmt->fetch()) {
echo "Welcome back ",$sqlName, "<br>";
} else {
echo "Wrong credentials";
}
}
Upvotes: 1
Reputation: 360872
- You are vulnerable to sql injection attacks.
- Your query is invalid:
[..snip..]* FROM UserDetails WHERE UserName=$name"))
^^^^^^
You're generating the literal query
SELECT ... WHERE UserName=Fred
and since your table is HIGHLY unlikely to have a field named Fred, you're getting a query syntax error. And since your error handling is incorrect, you never see the error message that MySQL is trying to show you.
A query which return no rows is NOT an error condition. It's a perfectly valid query, and a perfectly valid result set, which just happens to contain no rows.
Your logic should be
$sql = "....";
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
if($result->num_rows == 0) {
... user does not exist ...
} else {
... user does exist ...
}
Upvotes: 2
Related Questions
- Database query always returns TRUE
- Query returning false PHP
- Query returning false
- Mysql query always returning true
- PHP database query returns false everytime
- MySQL query returns a false value
- Mysql PHP Query Runs Perfectly, But returns as false
- mysql query in php evaluates to true wrongly
- Returns false when running this query
- PHP mysql_query not returning false