error in finding username in database

Question

jovstudios -3 Junior Poster in Training

11 Years Ago

how can detect if the username is already exist??
i don't what is lacking in my code. this is my code:

<?php
include( "db.php" );

$first = strip_tags(mysql_real_escape_string($_POST['first']));
$last = strip_tags(mysql_real_escape_string($_POST['last']));
$username = strip_tags(mysql_real_escape_string($_POST['username']));
$password = strip_tags(mysql_real_escape_string($_POST['password']));
 $password2 = strip_tags(mysql_real_escape_string($_POST['password2']));
 $passwordmd5 = md5($password);
if( empty($first) || empty($last) ||empty($username) || empty($password) || empty($password2))
    {
    echo "ALL fields required";
    }
else{
$userQ = mysql_query("SELECT * FROM admin WHERE 'username' = '{$username}'");
if ($password !== $password2)
{
echo "do not match";
}
else{
mysql_query("INSERT INTO admin (first, last,username,password) Values ('{$first}','{$last}','{$username}','{$passwordmd5}')");
echo "Your Succesfully Registered!";
header("location: adminlogin.php");
}
}
?>

when i click on the register button I can still register even if the username is already exist. thanks in advance..hope u can help me this simple problem.

php

6 Contributors
10 Replies
184 Views
4 Hours Discussion Span
Latest Post 11 Years Ago Latest Post by diafol

Squidge 101 Newbie Poster

11 Years Ago

have you set your DB column for the Username as UNIQUE?

you will also need to compare $username to an array of stored usernames from the DB

Edited 11 Years Ago by Squidge

JorgeM 958 Problem Solver

11 Years Ago

On line 15, you performed your query, but I don't see where you checked to see if there was a match. You didn't check the result against anything.

diafol

11 Years Ago

@Jorge

This is MySQL rather than PHP I think, but anyway...

As Squidge states, backticks help MySQL discern reserved words from fieldnames. Most of the time you don't need backticks, but you should NEVER use any type of quotes for fieldnames. As it happens username is not a reserved word and as such does not need backticks anyway. However, I find it good practice to use them as the list of reserved words is quite long and it's not always obvious when you get an error due to lack of backticks. :)

Edited 11 Years Ago by diafol

Squidge commented: much better explaination :) +6

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

diafol · Answer 1 · 2013-07-28T17:57:25+00:00

Your code just highlights the need to move to mysqli or PDO. The cleaning is pretty horrible. Look up 'parameterized binding'.

Anyway:

"SELECT * FROM admin WHERE 'username' = '{$username}'"

is wrong as you've enclosed the username field within single quotes - use backticks instead - and you don't need {braces} unless you have array items, object properties or are placing them directly before text:

"SELECT * FROM admin WHERE `username` = '$username'"

almostbob 866 Retired: passive income ROCKS · Answer 2 · 2013-07-28T18:09:31+00:00

still learning sql, does this work
if mysql_query("SELECT username FROM admin WHERE 'username' = '$username';) { die('username already registered'); }

nnayram 0 Newbie Poster · Answer 3 · 2013-07-28T18:22:24+00:00

maybe this could help you..hope this will work

<?php
include( "db.php" );

$first = strip_tags(mysql_real_escape_string($_POST['first']));
$last = strip_tags(mysql_real_escape_string($_POST['last']));
$username = strip_tags(mysql_real_escape_string($_POST['username']));
$password = strip_tags(mysql_real_escape_string($_POST['password']));
 $password2 = strip_tags(mysql_real_escape_string($_POST['password2']));
 $passwordmd5 = md5($password);
if( empty($first) || empty($last) ||empty($username) || empty($password) || empty($password2))
    {
    echo "ALL fields required";
    }
else{
$userQ = mysql_query("SELECT * FROM admin WHERE 'username' = '$username'");
if (mysql_num_rows($userQ) == 1)
{
echo"This user already exists.";
}

if ($password !== $password2)
{
echo "do not match";
}
else{
mysql_query("INSERT INTO admin (first, last,username,password) Values ('{$first}','{$last}','{$username}','{$passwordmd5}')");
echo "Your Succesfully Registered!";
header("location: adminlogin.php");
}
}
?>

JorgeM 958 Problem Solver Team Colleague Featured Poster · Answer 4 · 2013-07-28T18:30:19+00:00

Anyone...I'm in the process of learning some PHP....

Why does the SQL field require ticks or single quotes?

 ...SELECT * FROM admin WHERE 'username' = ...

Squidge 101 Newbie Poster · Answer 5 · 2013-07-28T18:35:31+00:00

@JorgeM,

Backticks are requied when the naming is a reserved MySQL word.

http://dev.mysql.com/doc/refman/5.6/en/reserved-words.html

JorgeM 958 Problem Solver Team Colleague Featured Poster · Answer 6 · 2013-07-28T21:02:35+00:00

Ah I see. My experience is with asp.net and MSSQL and in SQL I general place brackets around the field name for this same reason or when a field has more than one word..sauch as...

  ...SELECT * FROM admin WHERE [User Name] = ...

I had assumed the ticks was a PHP thing not MySQL. Anyways thanks for the clarification as I'm trying to learn some PHP these days... Been reading the online manual.

diafol · Answer 7 · 2013-07-28T22:22:42+00:00

Yes, several words in a fieldname also require a backtick. Good point. However - personally, I avoid such things and introduce underscores instead of spaces.