The sqlsrv_query does not return any result after the checking data function is perform

Question

I am working as a company project task related to prevent duplication of data entered for user registration. The data i wish to prevent them from duplicate is email(user cant signup using same email for the application). There are two page involve in the checking process (signup.php and insert.php). Signup.php is where user key in informations on all 6 pages for register as a company user. Insert.php is where inserting data into sql server and i have implemented code for checking before inserting data into sql server.

    //email validation
    $emailvalid="SELECT Email FROM EcomLogin WHERE Email  = '$_POST[email]'";
    $stmt3=sqlsrv_query($conn,$emailvalid);
    if($stmt3){
        header("location:signup.php?status=error&message=Error when register with email!");
 exit();
        die(print_r(sqlsrv_errors(), true));
    }

Meanwhile in signup.php(registration form). on top of the form i have include a php code which block website for directing user to second registration page if first page information is duplicated with database record in this case is email.

<?php 
if(isset($_GET['status']) && $_GET['status'] == 'error'){
echo '<script>toastr.error("Email has already been registered!");history.replaceState(null, "", location.href.split("&")[0]);</script>';}
?>

In the head section i have also include script below for toast function

 <script src="https://cdnjs.cloudflare.com/ajax/libs/toastr.js/latest/toastr.min.js" integrity="sha512-VEd+nq25CkR676O+pLBnDW09R7VQX9Mdiij052gVCp5yVH3jGtH70Ho/UUv4mJDsEdTvqRCFZg0NKGiojGnUCw==" crossorigin="anonymous"></script>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/toastr.js/latest/toastr.css" integrity="sha512-3pIirOrwegjM6erE5gPSwkUzO+3cTjpnV9lexlNZqvupR64iZBnOOTiiLPb9M36zpMScbmUNIcHUqKD47M719g==" crossorigin="anonymous" />
    <script src="https://cdn.jsdelivr.net/npm/underscore@1.13.1/underscore-umd-min.js"></script>

After i input same email address for registration., it lead me to second page of registration page which is not allow to be do so. it expect to be a toastr message appear on first page if duplicated email is used on first page and blocking them to the second page of registration page.

Do any part of my coding is wrong or i am missing any kind of coding to perform the blocking function in php file? if the coding is correct do i need to create another function from preventing website direct user to second page? The signup.php will look through another js file which is validating input field first then only execute insert.php.

Answer 1

There are at least these two issues with your code:

• You need to understand what exactly sqlsrv_query() returns. As is explained in the documentation , the result is a statement resource, or if the statement cannot be created and/or executed, false is returned. So, the check if($stmt3) {...} means, that the statement is executed correctly, not that there is a row with the specified e-mail.
• Always use parameterized statements to prevent possible SQL injection issues.

If I understand your issue correctly and you want to check if an e-mail already exists, the following approaches are possible solutions:

• Use your current statement and check if the result set has one or more rows using sqlsrv_has_rows() .
• Change the statement to get the count of the rows for the specified e-mail.

PHP:

<?
...
$sql    = "SELECT Email FROM EcomLogin WHERE Email = ?";
$params = array($_POST[email]);
$stmt   = sqlsrv_query($conn, $sql, $params);
if ($stmt === false) {
    header("location:signup.php?status=error&message=Error when register with email!");
    die(print_r(sqlsrv_errors(), true));
}   
if (sqlsrv_has_rows($stmt)) {
    header("location:signup.php?status=error&message=Error when register with email!");
    die(print_r(sqlsrv_errors(), true));
}
...

...
$sql    = "SELECT COUNT(*) AS EmailCount FROM EcomLogin WHERE Email = ?";
$params = array($_POST[email]);
$stmt   = sqlsrv_query($conn, $sql, $params);
if ($stmt === false) {
    header("location:signup.php?status=error&message=Error when register with email!");
    die(print_r(sqlsrv_errors(), true));
}   
$count = 0;
while ($row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC)){
    $count = $row["EmailCount"];
}
if ($count >= 1) {
    header("location:signup.php?status=error&message=Error when register with email!");
    die(print_r(sqlsrv_errors(), true));
}
...
?>

Answer 2

Keep in mind that

 $stmt3=sqlsrv_query($conn,$emailvalid);
    if($stmt3){

might return TRUE even if there is no such email, because the sql query is legal but does not produce a result nor an error.

You could count for emails as here:

$emailvalid="SELECT count(Email) as found FROM EcomLogin WHERE Email  = '$_POST[email]'";

Fetch the record an look at the value of found

As a very last guard against dublicate emails you can create a UNIQUE INDEX above Email. With this the DB itself rejects duplictes