Checking if user's email address matches any existing email addresses in database

StackOverflow https://stackoverflow.com/questions/18247141

Question

I have a form that requires a user to enter their email address in order to receive a password reset email. I'm trying to compare the email to existing emails in the database before sending the email; if the email doesn't exist, the script should not send the reset email. I've been reading posted questions/responses and Googling my brains out for hours, as well as altering the code to remove white space or tweak the syntax but nothing has rid me of this #1064 error message...'bouts ta give up...

The error I get is: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@rocketmail.com' at line 1 SQL: SELECT customer_id FROM customer WHERE customer_email = user@rocketmail.com

$sql = "SELECT customer_id FROM customer WHERE customer_email = ".$_POST['email'];
$result = mysqli_query($db, $sql) or die(mysqli_error($db)."<br />SQL: $sql");
$num_rows = mysql_num_rows($result);

if($num_rows < 1) {
$problem = TRUE;
$error_message .= '<p class="errorctr">Email was not found in our database.</p>';
}
Was it helpful?

Solution

You have to enclose a string value in quotes, otherwise it will surely be a syntax error that you get. Your PHP syntax is fine, MySQL is not

$sql = "SELECT customer_id FROM customer WHERE customer_email = '".mysqli_real_escape_string($db,$_POST['email'])."'";

Also later down in your code you have mysql_num_rows, which shuld be mysqli_num_rows like this

$num_rows = mysqli_num_rows($result);

OTHER TIPS

Speaking of what you really need to try, it is PDO:

$sql = "SELECT customer_id FROM customer WHERE customer_email = ?";
$stm = $pdo->prepare($sql);
$stm->execute(array($_POST['email']));
$id  = $stm->fetchColumn();
if(!$id) {
    ...

Try This:

         $email = $_POST['email'];
         $sql = "SELECT customer_id FROM customer WHERE customer_email = '".mysqli_real_escape_string($db,$email )."'";
   $result = mysqli_query($db, $sql) or die(mysqli_error($db)."<br />SQL: $sql");

   while($row = mysqli_fetch_array($result)){

        if(!$row['customer_email']){
         echo '<p class="errorctr">Email was not found in our database.</p>';
               }

      }
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top