Register Form. Why the function mysql_query($query); retuns FALSE?

PHP
1

Hi,

When I run SELECT username FROM users_reg WHERE username=‘alex’ in phpMyAdmin - it works. But from php file - no.

Why the function mysql_query($query); retuns FALSE?

register.php


<?php
require 'core.inc.php';
if (!loggedin()) {
    if (isset($_POST['username']) && isset($_POST['password']) &&
            isset($_POST['password_again']) && isset($_POST['firstname']) &&
            isset($_POST['surname'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $password_again = $_POST['password_again'];
        $firstname = $_POST['firstname'];
        $surname = $_POST['surname'];
        if (!empty($username) && !empty($password) && !empty($password_again) &&
                !empty($firstname) && !empty($surname)) {
            if ($password != $password_again) {
                echo 'Passwords do not match.';
            } else {
                $query = "SELECT `username` FROM `users_reg` WHERE `username`='".$username."'";
                $query_run = mysql_query($query);
                if ($query_run) {
                    if (mysql_num_rows($query_run) >= 1) {
                        echo 'The username' . $username . ' already exists.';
                    } else {
                        echo 'Ok.';
                    }
                } else {
                    echo 'register.php: query faild - ' . $query;
                }
            }
        } else {
            echo 'All fields are required';
        }
    }
    ?>

    <form action="register.php" method="POST">
        Username:<br />
        <input type="text" name="username" value="" /><br />
        <br />
        Password:<br />
        <input type="password" name="password" value="" /><br />
        <br />
        Password again:<br />
        <input type="password" name="password_again" value="" /><br />
        <br />
        Firstname:<br />
        <input type="text" name="firstname" value="" /><br />
        <br />
        Surname:<br />
        <input type="text" name="surname" value="" /><br />
        <br />
        <input type="submit" value="Register" />
    </form>

    <?php
} else {
    echo 'You\\'re already registered and logged in.';
}
?>

core.inc.php


<?php

//$current_file = $_SERVER['SCRIPT_FILENAME'];
// C:/xampp/htdocs/PhpTurorials/PhpAlex/Php_137/index.php
ob_start();
session_start();

$current_file = $_SERVER['SCRIPT_NAME'];
$http_referer = @$_SERVER['HTTP_REFERER'];

// /PhpTurorials/PhpAlex/Php_137/index.php

function loggedin() {
    if (isset($_SESSION['user_id']) && !empty($_SESSION['user_id'])) {
        return true;
    } else {
        return false;
    }
}

function getuserfield($field) {
    $query = "SELECT `$field` FROM `users_reg` WHERE `id`='" . $_SESSION['user_id'] . "'";
    if ($query_run = @mysql_query($query)) {
        if ($query_result = @mysql_result($query_run, 0, $field)) {
            return $query_result;
        } else {
            echo 'getuserfield(): cannot find the field - '.$field;
        }
    } else {
        echo 'getuserfield(): invalid query';
    }
}
?>

Thank you.

2

The problem has solved. I added:

require 'connect.inc.php';

register.php


<?php
require 'connect.inc.php';
....
?>

connect.inc.php


<?php
$mysql_host = 'localhost';
$mysql_user = 'root';
$mysql_pass = '';

$mysql_db = 'a_database';

if (!@mysql_connect($mysql_host, $mysql_user, $mysql_pass) || !@mysql_select_db($mysql_db)) {
    die(mysql_error());
}
?>

P.S. It’s from the video tutorial: http://thenewboston.org/watch.php?cat=11&number=146

3

Mysql_query() is deprecated, better use mysqli or PDO instead.

4

Thank you very much. I will :slight_smile:

5

Also (probably even more important) is the fact that your script is vulnerable to SQL Injection attacks. Once you’ve migrated over to using either the mysqli_* extension or to PDO (PDO is more preferable as it doesn’t tie you down so much to a given database server software) you should make us of prepared statements. All user submitted data no matter how it’s being submitted (GET, POST or REQUEST arrays or a cookie) must always be considered unsafe until it has been validated and sanitized.