-1

Okay, so I am trying to add a user registration form to my site. I've been trying to fix this for days and nothing I've tried seems to work. Currently I'm getting this Warning when I fill in the registration form and hit the submit button.

Warning: mysql_num_rows() expects parameter 1 to be resource, null given in /Applications/XAMPP/xamppfiles/htdocs/tutorials/MySite/index.php on line 64

I have triple checked to make sure that the syntax of my database and rows are the same in the script and in phpmyadmin, so I'm really lost and don't know what to do from here. I always have trouble connecting to and doing queries/retrieving information from phpmyadmin.

So far this is what I've got (sorry for so much code):

    <?php

$reg = $_POST['reg'];
// declaring variables to prevent errors

$fn      = ""; //first name
$ln      = ""; //last name
$un      = ""; //username
$em      = ""; //email
$em2     = ""; //email 2
$pswd    = ""; //sign up date
$u_check = ""; //check if username exists

//registration form
$fn    = strip_tags($_POST['fname']);
$ln    = strip_tags($_POST['lname']);
$un    = strip_tags($_POST['username']);
$em    = strip_tags($_POST['email']);
$em2   = strip_tags($_POST['email2']);
$pswd  = strip_tags($_POST['password']);
$pswd2 = strip_tags($_POST['password2']);
$d     = date("Y-m-d"); // year - month - day

if ($reg) {
    if ($em == $em2) { //this block of code is where I'm having the most trouble at.
        // Check if user already exists
        $u_check = mysql_query("'SELECT' username 'FROM' users 'WHERE' username='$un'");
        // Count the amount of rows where username= $un
        $check   = mysql_num_rows($u_check); //<<<<<<<<<<<<<<<<<<<<<<<<LINE 64 
        if ($check == 0) { //maybe this should be $u_check??\\




            //check all of the fileds have been filled in
            if ($fn && $ln && $un && $em && $em2 && $pswd && $pswd2) {
                //check that passwords match
                if ($pswd == $pswd2) {
                    //check the maximum length of username/first name/last name does not exceed 25 characters.
                    if (strlen($un) > 25 || strlen($fn) > 25 || strlen($ln) > 25) {
                        echo "The maximum limit for username/first name/ last name is 25 characters!";

                    } else { //check to see if password is allowable length
                        if (strlen($pswd) > 30 || strlen($pswd) < 5) {
                            echo "Your password must be between 5 and 30 characthers long!";
                        } else {
                            //encrypts password using md5 before sending to database
                            $pswd  = md5($pswd);
                            $pswd2 = md5($pswd2);
                            $query = mysql_query("INSERT INTO users VALUES (' ', '$un', '$fn', '$ln', '$em', '$pswd', '$d', '0')");
                            die("<h2>Welcome to MySite</h2>Login to your account to get started....");
                        }
                    }
                } else {
                    echo "Your passwords don't match!";

                }
            } else {
                echo "Please fill in all fields";
            }
        }
    }
}

?>

Once again, I have been trying to get this fixed for days and still can't figure out what is going on.

Yogus
  • 2,243
  • 4
  • 18
  • 36
user2407643
  • 1
  • `strip_tags` is not anywhere close to [proper SQL escaping](http://bobby-tables.com/php). If you wrote this, you really need to [brush up on the basics](http://biasedphp.com/php-commandments). What's the application you're building here? You can't store plain-text passwords and think that's okay. – tadman May 22 '13 at 02:28
  • -1 for using mysql_query in 2013. Try [mysqli](http://us1.php.net/manual/en/book.mysqli.php) or [PDO](http://us1.php.net/manual/en/book.pdo.php) instead. – cHao May 22 '13 at 02:37

2 Answers2

1

You get the error because your query does not return an object to count. It is failing.

Your query has invalid syntax:

$u_check = mysql_query ("'SELECT' username 'FROM' users 'WHERE' username='$un'");

should be:

$u_check = mysql_query ("SELECT `username` FROM `users` WHERE `username`='$un'");

And for the love of man sanitize your input and switch to PDO or mysqli seeing as mysql_ functions are deprecated

Here is a very basic PDO example, which assumes you followed the basic tutorial to connect to your database:

//assumes $db is your PDO connection
$sql = $db->prepare('SELECT `username` FROM `users` WHERE `username`=:username');
$sql->bindParam(':username', $un, PDO::PARAM_STR);
$sql->execute();
Kai Qing
  • 18,665
  • 5
  • 37
  • 57
  • Can you at least add some escaping to this or show the PDO version? This is scary bad. – tadman May 22 '13 at 02:29
  • 1
    I added a very basic example, though OP really should read up on PDO or mysqli in greater depth than any example I can realistically provide here. – Kai Qing May 22 '13 at 02:34
1

use PDO 

$sql= "SELECT `username` FROM `users` WHERE `username` = :username"; 
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':username', $un, PDO::PARAM_STR); 
$stmt->execute();
Yogus
  • 2,243
  • 4
  • 18
  • 36