0

I have a mobile app that allow technicians to register, I want to prevent duplicated email address and mobile number, I wrote this code in my php file 

<?php
require "config.php";

$name = $_POST['name'];

$password = $_POST['userpass'];
$emailadd = $_POST['emailadd'];
$phone = $_POST['phone'];
$category = $_POST['category'];
$token = $_POST['token'];

$username = stripslashes($username);
$password = stripslashes($password);

$sql_get_email= "SELECT * FROM technician where emailadd ='$emailadd';";

$result1 = mysqli_query($db, $sql_get_email);

 $row = mysqli_fetch_array($result1,MYSQLI_ASSOC);


      $count = mysqli_num_rows($result);

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count >0) {
         echo  "Email already exists in our database";

die();
}
 else {
    $mysql_get_phone = "SELECT * FROM technician where mobile ='$phone';";

$result1 = mysqli_query($db, $sql_get_email);

 $row = mysqli_fetch_array($result1,MYSQLI_ASSOC);


      $count = mysqli_num_rows($result);

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count >0) {
         echo  "Pnone number already exists in our database";

die();

}

else {

$sql = "INSERT INTO technician (name, emailadd, password, mobile, category, fcm_key)
VALUES ('$name',  '$emailadd', '$password','$phone', '$category','$token')";

if ($db->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $db->error;
}
}}
$db->close();
?>

and I have this excerpt from my BackgroundTask.java to check for the result of the registration

@Override
protected void onPostExecute(String result) {
    if (result.equals("Email already exists in our database")) {

    final Dialog dialog = new Dialog(ctx);
    dialog.setContentView(R.layout.dialog_second);
    dialog.setTitle("ERROR");
    dialog.setCancelable(true);
    //set up text
    TextView text = (TextView) dialog.findViewById(R.id.TextView01);
    text.setText(result);

    //set up button
    Button button = (Button) dialog.findViewById(R.id.btnOk);

    button.setOnClickListener(new View.OnClickListener() {
        @Override
        public void onClick(View v) {
            dialog.dismiss();
        }

    });
    //now that the dialog is set up, it's time to show it
    dialog.show();
} else  if (result.equals("Pnone number already exists in our database")) {

    final Dialog dialog = new Dialog(ctx);
    dialog.setContentView(R.layout.dialog_second);
    dialog.setTitle("ERROR");
    dialog.setCancelable(true);
    //set up text
    TextView text = (TextView) dialog.findViewById(R.id.TextView01);
    text.setText(result);

    //set up button
    Button button = (Button) dialog.findViewById(R.id.btnOk);

    button.setOnClickListener(new View.OnClickListener() {
        @Override
        public void onClick(View v) {
            dialog.dismiss();
        }

    });
    //now that the dialog is set up, it's time to show it
    dialog.show();
}else
if (result.equals("Registration Success...")) {
    Toast.makeText(ctx, "Registration Successful......Please login", Toast.LENGTH_LONG).show();


    Intent intent = new Intent(ctx, Login.class);
    ctx.startActivity(intent);

I found out that the registration is always successful even with duplicated entry.

config.php

<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'proartisan_dbadmin');
   define('DB_PASSWORD', 'YYYYYYYYY');
   define('DB_DATABASE', 'XXXXXXXXX');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
LaideLawal
  • 77
  • 1
  • 10
  • simple way create a php file that check if email and phone exists and when user enter data send to the php and check if exists, get response if response is yes not register if no register if you need i can create a detailed answer – Bruno Ferreira Jul 31 '17 at 21:29
  • What is the result of $count when it is duplicated and when it is not – Thorny84 Jul 31 '17 at 22:00
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Aug 01 '17 at 01:18
  • **Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Aug 01 '17 at 01:19
  • @BrunoFerreira, Please I need a detailed answer, Thank you and thank all for your contributions – LaideLawal Aug 01 '17 at 05:31
  • @LaideLawal can you post your config.php file. Your code is vulnerable to sql injection. – Bruno Ferreira Aug 01 '17 at 07:32
  • @BrunoFerreira config.php file added as requested – LaideLawal Aug 01 '17 at 08:34

1 Answers1

0

So here is my detailed answer.

New config.php

<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'proartisan_dbadmin');
   define('DB_PASSWORD', 'YYYYYYYYY');
   define('DB_DATABASE', 'XXXXXXXXX');
   $db = new mysqli(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
?>

New main php

<?php
require "config.php";

$name = $_POST['name'];

$password = $_POST['userpass'];
$emailadd = $_POST['emailadd'];
$phone = $_POST['phone'];
$category = $_POST['category'];
$token = $_POST['token'];

$username = stripslashes($username);
$password = stripslashes($password);

if ($db->connect_error) {

die("Connection failed: " . $db->connect_error);

}

$sql_get_email= "SELECT * FROM technician where emailadd =$emailadd";

$stmt=$conn->prepare($sql_get_email);
$stmt->execute();
$stmt->store_result();
$stmt->fetch();
$count=$stmt->num_rows();

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count >0) {
         echo  "Email already exists in our database";
         $stmt->close();
         die();
}
 else {
    $mysql_get_phone = "SELECT * FROM technician where mobile =$phone";

    $stmt=$conn->prepare($mysql_get_phone);
    $stmt->execute();
    $stmt->store_result();
    $stmt->fetch();
    $count=$stmt->num_rows();


    // If result matched $myusername and $mypassword, table row must be 1 row

      if($count >0) {
         echo  "Pnone number already exists in our database";
         $stmt->close();
         die();
      }
}
else {

$sql = "INSERT INTO technician (name, emailadd, password, mobile, category, fcm_key)
VALUES (?, ?, ?, ?, ?, ?)";

$stmt=$conn->prepare($sql);
$stmt->bind_param('ssssss', $name, $emailadd, $password, $phone, $category, $token);

if($stmt->execute()){
  echo "New record created successfully";
}else{
  echo "Error: " . $sql . "<br>" . $stmt->error;
}

$stmt->close();
$db->close();
}}
?>

So using mysqli and prepared statements avoids SQL Injection and if the email or phone alerady exists echo and close connection to avoid problems.

Bruno Ferreira
  • 1,561
  • 1
  • 10
  • 17