0

I'm facing a weird problem, I'm trying to implement a simple Usercheck with PHP 7.1. 

$con = getConnection();
        //check connection
        if(!$con){
            die("Connection to database failed".  mysql_connect_error() );
        } else echo ("connection to database successfull");


        //checking if nickname already exists
        $checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
        //sending query to sql database
        $doesExist = mysqli_query($con, $checkUserExistanceSql)
            or die ("Fehler in der Datenbankabfrage");

        if(mysqli_num_rows($doesExist)>=1){

            echo "Nickname not available, use another name";

        }

But I'm getting this warning

Warning: A non-numeric value encountered in E:\XAMPP\htdocs... Line 29 Line 29 is the $checkUserExistanceSql. Any ideas where the problem is?

Ara Light
  • 37
  • 1
  • 5
  • 2
    Change `"SELECT nickname FROM user WHERE nickname='" + $nickname+ "'"` to `"SELECT nickname FROM user WHERE nickname='" .$nickname. "'"`. Not specifically PHP 7.1 related btw.. – Yolo Mar 23 '17 at 17:05
  • @Yolo the warning might be PHP 7.1 related. Previously (at least in 5.6) it would silently convert the strings to ints (usually 0) and do the addition. That's probably not the intention in most cases. – apokryfos Mar 23 '17 at 17:11
  • @Yolo thank you very much, this solved it instantly, I searched for straight 4 hours now. – Ara Light Mar 23 '17 at 17:20

2 Answers2

2

String concatenation on PHP uses . (dot) as operator, not + (plus).

You actual code uses +:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";

This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.

Change your operator to . and it will work:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";

You can also use this syntax, with the same result but cleaner code:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";

Security Alert

You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.

Community
  • 1
  • 1
Elias Soares
  • 7,626
  • 4
  • 22
  • 48
  • Can you tell me why you using curly brackets ? it works without them `'$nickname'` – Mario Mar 23 '17 at 17:24
  • Thank you very much, this solves a lot of issues for me right now. I would have used my form of code for other functions as well. – Ara Light Mar 23 '17 at 17:25
  • @Mario using the brackets avoid some errors when the next character is a valid variable character, eg: `"Foo$nicknameBar"`. PHP will try to concatenate `$nicknameBar` instead of desired `$nickname` variable. On this situation, since the next character is an single quote, this will work, but is a good practice using `{}`, so you will never have this problems. – Elias Soares Mar 23 '17 at 17:29
  • Thanks @EliasSoares for explanation, i'm starting to use it from now on :) – Mario Mar 23 '17 at 17:30
1

Thanks to the help of Yolo and Elias Soares. The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias. 

$con = getConnection();
        //check connection
        if(!$con){
            die("Connection to database failed".  mysql_connect_error() );
        } else echo ("connection to database successfull");



        //prepared statement for sql query
        $stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
        $stmt -> bind_param("s", $nickname);
      
        $stmt->execute();

        //checkking result, if nickname is already used
        if($stmt->get_result()){
            echo "0";
        } else {
            //insert user
        }
Ara Light
  • 37
  • 1
  • 5