1

So I'm building a login/signup page in Ruby/Sinatra, and I'm trying to add some logic so that if someone tries to sign up with an email that is in use, it will tell them so, and not allow them to sign up

require 'rubygems'
require 'sinatra'
require 'mysql'

get "/" do
        erb :form
end

post "/" do

begin
        con = Mysql.new('localhost', 'tut', 'tut', 'recruited_users')
        auth = con.query('SELECT school FROM users WHERE email = "#{params[:email]}" AND password = "#{params[:password]}"')
        auth.fetch_row
        ensure
                con.close if con
        end
end

get '/signup' do
        erb :signup
end

post '/signup' do

begin
        con = Mysql.new('localhost', 'tut', 'tut', 'recruited_users')
        check_for_user = con.query("SELECT email FROM users WHERE email = '#{params[:email]}'")
        if check_for_user == ''
                "Sorry, but there is already an account for this user. The ID is '#{params[:check_for_user]}', please try again"
        else
                auth = con.query("INSERT INTO users (email, password, school) VALUES('#{params[:email]}', '#{params[:password]}', '#{params[:school]}')")
                "Succesfully created user #{params[:email]}"
        end
        ensure
                con.close if con
        end
end

The problem is that the variable check_for_user is not receiving any value, at least not one that I can work with. I need to be able to set up the if statement so that they can only create a new user if the email does not already exist in the database.

Improve this question
1
  • 1
    Just out of interest, what is making you choose raw SQL rather than an ORM like sequel or datamapper? Commented Sep 3, 2012 at 5:41

1 Answer 1

Reset to default
3

First of all, you can't use string interpolation (#{...}) inside a single quoted string, that only works with double quoted strings (or things like %Q{...} that behave like double quoted strings). Secondly, string literals in SQL should be quoted with single quotes, MySQL and SQLite let you get away with double quotes but that's a bad habit. Thirdly, we're not hacking PHP in 1999 so you shouldn't be using string interpolation to build SQL, you should use placeholders:

sth = con.prepare('select school from users where email = ? and password = ?')
sth.execute(params[:email], params[:password])
row = sth.fetch
if(!row)
    # Didn't find anything
else
    # The school is in row.first
end
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

In addition, the user could enter their string in a different letter-case than the initial email address. The case-sensitive search would return a miss, but folding to the same case in the database and the search, would return a hit.
I tried the above code, and I'm still not getting the right result. Is there something I need to do to use the ? placeholder?
@bwheeler96: what does "not working" mean? Any errors or exceptions? Do you have a case problem as Tin Man noted? Have you tried your queries in the mysql tool?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.