请告诉这个MySQL查询中的错误

Question

I wrote a mysql query but i am not getting the result as expected. This is to check that if the username and email is not as same as someone else's username or email but not his own user and email.

I have tried many other queries like EXCEPT query

$user_check_query = "SELECT * FROM users WHERE username='$username' 
OR email='$email' AND NOT id='$id'";
        $result = mysqli_query($db, $user_check_query);
        $user = mysqli_fetch_assoc($result);

        if ($user) { // if user exists
            if ($user['username'] === $username) {
            array_push($errors, "Username already exists");
            }

            if ($user['email'] === $email) {
            array_push($errors, "Email already exists");
            }
        }

This query is supposed to select row where username = username or password = password but id is not = id But when there is no change in username or email it returns error that username already exits and email already exists but it should not.

Answer 1

Warning: You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi . Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data .

To answer your question, You are mixing AND and OR in your WHERE clause. This jacks with the order/precedence of how the WHERE clause will be parsed. With no parentheses, the WHERE clause will 'reset' when it sees an OR. For example, your query will be interpreted as "where username equals username, or, while no longer considering username, email equals email AND also id is not id."

When you put parentheses, you change how is it interpreted by grouping the username=username OR email = email together, and after that, also check the id.

You probably want:

SELECT * FROM users WHERE (username='$username' 
OR email='$email') AND NOT id='$id'