im struggling bad here please help

[Weiss]

Hi. ive been struggling for 2 hours over this and i just cannot understand whats wrong here.

im trying to create a signup.php where there is a form in the index. with post method, and the inputs are username, password and confirmed password.

in the php file i some functions (like isExist($username) which return true if someone wanna sign up with a username that already exist..)

im embedding the code here:

<?php
//First define some functions..
function isExist ($username){//Return TRUE if name already exist in users table
  $query = "SELECT * FROM users WHERE username = $username";
  $result = mysqli_query($con, $query) or die ('Cannot use SELECT query');
  return (mysqli_num_rows($result) != 0);//Since username can be only 1 per name, any number !=0 means 1 actually..
}

function passChk($password, $conf_pass){//Return TRUE if pass and confirmed pass match
  return ($password == $conf_pass);
}

function newUser ($username, $password){//Add a new user .. duh ;p
  if (!isExist($username)) {
    if (passChk($pass, $conf_pass)){
      $query  = "INSERT INTO 'users' (username, password, id) VALUES ('$username', '$password')";
      mysqli_query($con, $query) or die ("Cannot INSERT into Database");
      echo 'Username Created successfully';
    } else {echo '<script>alert ("Password and confirmed password do not match")</script>';
      header("Location: http://www.sweiss.co.il/sfn/index.html");
    }
  } else { echo '<script>alert ("Username already exist!")</script>';
    header("Location: http://www.sweiss.co.il/sfn/index.html");
  }
  mysqli_close($con);
}
//Code start
require_once('connectvars.php');
$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die ('Cannot create connection to Database');
mysqli_set_charset($con, "utf8") or die ('Could not set utf-8');//Will allow us to use hebrew
$username = mysqli_real_escape_string($con, trim($_POST['username']));//Defence vs sql injection
$password = mysqli_real_escape_string($con, trim($_POST['password']));
$conf_pass = mysqli_real_escape_string($con, trim($_POST['conf_pass']));


newUser ($username, $password);

?>

i keep getting the error from the first function isExist.. cannot use SELECT query.

plase any help would be much appriciated

[justsomeguy]

function newUser ($username, $password){
  $return = ['success' => false, 'message' => ''];

  if (!isExist($username)) {
    if (passChk($pass, $conf_pass)){
      
      // insert into the database here
      
      $return['message'] = 'Username Created successfully';
      $return['success'] = true;
    } else {
      $return['message'] = "Password and confirmed password do not match";
    }
  } else { 
    $return['message'] = 'Username already exists';
  }
  return $return;
}

 

[justsomeguy]

The forum completely wiped out my reply when I tried to edit my post, because the forum software is awesome. I'll try that again.

[justsomeguy]

The reason why your code isn't working is because $con is not defined in those functions (and $pass and $conf_pass are not defined in newUser either).  You can use global variables inside the function, but it's better to avoid globals and pass in any variables you want the functions to use.  So you should pass $con to the functions.

You should add this to the top of your code:

ini_set('display_errors', 1);
	error_reporting(E_ALL);

You should switch your database code to use prepared statements instead of trying to manually escape everything.  Prepared statements offer better security.  You can use prepared statements with mysqli, but it's better to use PDO.  The PDO code is shorter and easier to understand, and PDO works with databases other than only MySQL.  e.g.:

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
if ($stmt->execute(array($username))) {
  if ($row = $stmt->fetch()) {
    // it found a user
  }
}

http://php.net/manual/en/book.pdo.php

For the code I posted above, I was saying that each function should only do one thing.  Your newUser function should only validate and add the user if necessary, it should not also output anything or redirect.  Your main code should do that based on what the function returned.  If you want to return multiple values you can use an array like I did above to return a "success" value for whether the user was added, and a message to show them.  So your main code would call that function and then decide what to do.  Those header redirects wouldn't work though, because you sent output to the browser first.

$result = newUser(...);
	if ($result['success']) {
	  // maybe redirect to a thank-you page or something
	}
	else {
	  // show the error in $result['message']
	}

[Weiss]

THANK YOU VERY MUCH!!