0
$query = "SELECT username, email
              FROM members
              WHERE username = :username OR email = :email";
    $stmt = $sql->prepare($query);
    $stmt->execute(array(
        ':username' => $_POST['username'],
        ':email' => $email
    ));

    $existing = $stmt->fetchObject();

    if ($existing)
    {
        if ($existing->username == $_POST['username'])
        {
            $errors['username'] = "Username already in use !";
        }
        if ($existing->email == $email)
        {
            $errors['email'] = "Mail already in use !";
        }
    }

This is the part of register.php file. Not sure that just this part is responsible for the problem, but I suppose.
So, if table members is empty, and form is submitted - Firefox shows it's busy-gif about a half minute, but ends without registering new user, and without showing any error. Just keep freezing.
Then i press F5 - a window to approve resend information appears - click Resend - and the new user is registered.
If the tablemembersis not empty - everything works normally.
It seems - problem is because the code above is busy to find non-existing data.
If so, how to tell something like - if the table is empty - stop trying - just register the new user.

Alegro
  • 7,534
  • 17
  • 53
  • 74

3 Answers3

2

I'm pretty sure $existing = $stmt->fetchObject(); is fetching you an empty object, but one that does not implicitly evaluate to false. After that there's nothing in your code that would trigger, leading to your blank output.

Try a var_dump($existing) to see what your code is actually operating on.

edit

$existing = $stmt->fetchObject(); //this might be returning an empty object

if ($existing) { //empty objects evaluate to true
    if ($existing->username == $_POST['username']) {
        $errors['username'] = "Username already in use !";
    } else if ($existing->email == $email) {
        $errors['email'] = "Mail already in use !";
    } else {
        //this will trigger if something ELSE is wrong other than what you're explicitly checking for.
        $errors['other'] = "Something else is wrong.\n" . var_export($existing, TRUE);
    }
}
Sammitch
  • 30,782
  • 7
  • 50
  • 77
  • This is probably right. Just checked - empty objects are "true". fetchObject() only returns false on failure. – Raekye Dec 27 '12 at 18:38
  • @Raeki and it's a bit nebulous as to what "failure" is. I prefer using `fetchAll(PDO::FETCH_ASSOC)` and then a simple `count()` on the return. – Sammitch Dec 27 '12 at 18:44
  • So, would be the solution that I keep one `blind user` - untouchable in the table ? – Alegro Dec 27 '12 at 18:44
  • @Alegro no, the solution is to investigate further and repair the flaw in your program's logic. Besides, I seriously doubt that the issue is that your table is merely empty. I believe your code will always fail in the way you describe unless as user with the same name or email already exists. – Sammitch Dec 27 '12 at 18:46
  • @Sammitch, where is the error ? I normally register each following user - after the first one. – Alegro Dec 27 '12 at 18:48
  • @Alegro I've edited my answer to include a modification of your code with comments. – Sammitch Dec 27 '12 at 18:54
  • @Sammitch, i tried - the same behavior. The first user is registered after clicking - `Resend` in FF. Maybe is relevent - when form is submitted, FF shows a small window to remember the pass. When i close this window - FF immediately stops trying and freezes all. – Alegro Dec 27 '12 at 19:05
  • Ok, guys. I will accept Sammtich's post, because it is the nearest way to the real solution, I hope. Thanks, again. – Alegro Dec 27 '12 at 19:17
  • @Alegro when you find the solution be sure to update your posting so that it can be of use to other people with similar issues. Sharing is caring. – Sammitch Dec 27 '12 at 21:19
1

Should $email be $_POST['email']? And what is the full code - you don't have a closing if brace here. In that case, everything after would only execute if $existing is true. So the first time, nothing would be displayed. Also, it's better to use database constraints to ensure no duplicates like MySQL - Meaning of "PRIMARY KEY", "UNIQUE KEY" and "KEY" when used together while creating a table

Community
  • 1
  • 1
Raekye
  • 5,081
  • 8
  • 49
  • 74
1

It should be noted that it is generally a bad idea from a security standpoint to confirm to a would-be attacker that a username or email address exists in your system. This presumably would give them half of the information needed to execute a dictionary attack on your login.

I would make the the username and email fields in your table have unique indexes, and just go straight to the insert. If the insert fails because one of the uniqueness constraints doesn't allow it, just give the user a generic message about not being able to register.

This will also happen to save you a lot of unnecessary queries against the database.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103
  • Mike, could you write a short sample, please. – Alegro Dec 27 '12 at 18:42
  • I assume you already have the insert written to register the user. My suggestion is just to ditch all this pre-checking business and just go right to that insert, and handling any insert errors with a generic message. Of course you need to add unique indexes on those fields if they do not already have them. – Mike Brant Dec 27 '12 at 18:47
  • Thanks, Mike, I'll try. Strange is that each following user (after the first one) is normally registered. – Alegro Dec 27 '12 at 18:53
  • @Alegro I think Sammitch answered what the actual problem is with your current script. I am simply proposing a method that will make your code cleaner, more secure, and less chatty with the database. – Mike Brant Dec 27 '12 at 18:56