Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Sep 2011
    Location
    Blackpool
    Posts
    55
    Thanks
    7
    Thanked 1 Time in 1 Post

    Checking if a user already exists

    A video explaining what it does and what you need to add:
    http://www.youtube.com/watch?v=Rl07aHtWnTs

    The source
    PHP Code:
    $usernamecheck mysql_query("SELECT username FROM users WHERE username = '$_POST[username]'");
    $userchecker mysql_fetch_assoc($usernamecheck);
        if (
    $_POST['username'] == $userchecker['username']) {
        
    // checks to see if username is already in use.
            
    echo 'The username is already taken.'; } 
    Subscribe to a channel dedicated to helping people learn HTML, PHP & CSS.
    http://www.youtube.com/user/RanTutorials

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,609
    Thanks
    0
    Thanked 645 Times in 635 Posts
    1. You should validate the $_POST[username] field before using it in that database call - otherwise it could be used for an injection attack - eg to add a billion extra junk users and/or to delete all the users that are there. Does user: ' OR 1=1; DELETE FROM users WHERE 1=1; exist?

    2. The mysql_ interface is obsolete and about to be removed from PHP. You should be using either mysqli_ calls or PDO instead.

    3. Both mysqli_ and PDO support the use of prepare/bind to prevent injection attacks - query should only be used where there are no variables to be substituted into the SQL.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #3
    New Coder
    Join Date
    Sep 2011
    Location
    Blackpool
    Posts
    55
    Thanks
    7
    Thanked 1 Time in 1 Post
    Quote Originally Posted by felgall View Post
    1. You should validate the $_POST[username] field before using it in that database call - otherwise it could be used for an injection attack - eg to add a billion extra junk users and/or to delete all the users that are there. Does user: ' OR 1=1; DELETE FROM users WHERE 1=1; exist?

    2. The mysql_ interface is obsolete and about to be removed from PHP. You should be using either mysqli_ calls or PDO instead.

    3. Both mysqli_ and PDO support the use of prepare/bind to prevent injection attacks - query should only be used where there are no variables to be substituted into the SQL.
    1. This was roughly, a snippet from a registration script.

    2. Yes I will need to get update to will the changes.

    3. This was from a local host where only I would have access to, I think it is common sense to put injection prevention methods into your own scripts.
    Subscribe to a channel dedicated to helping people learn HTML, PHP & CSS.
    http://www.youtube.com/user/RanTutorials


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •