PHP Login application - Check if username already exists when creating a new user
The title tells pretty much everthing, that needs to be said. I'm having a registration code looking like this:
I wan't it to check, if the username entered already exists, if it does - write and $errMsg = ""; and echo it out later.. I hope you can help me, thanks.
if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['name']) && isset($_POST['last_name']) && isset($_POST['company'])){
if($username === '') {
$errMsg = "Du skal udfylde brugernavn";
}
elseif($password === ''){
$errMsg = "Du skal udfylde password";
}
elseif($name === ''){
$errMsg = "Du skal udfylde navn";
}
elseif($last_name === ''){
$errMsg = "Du skal udfylde efternavn";
}
elseif($company === ''){
$errMsg = "D开发者_开发问答u skal udfylde firma";
}
$sql = ("SELECT * FROM members WHERE username ='$username'");
$result = mysql_query($sql) or die('error');
$row = mysql_fetch_assoc($result);
if(mysql_num_rows($result)) {
$errMsg = 'Brugernavn findes, vælg et andet.';
} else {
$sql = ("INSERT INTO members (username, password, name, last_name, company, salt)VALUES('$username', '$password', '$name', '$last_name', '$company', '$salt')")or die(mysql_error());
if(mysql_query($sql))
echo "Du er oprettet som profil.";
}
}//End whole if
- Don't use
and
in yourif()
use&&
empty()
already checks if the value is set. Instead do$_POST['username'] === ''
note the three equals. Even better is to trim the result:trim($_POST['username']) === ''
You have an absolutely MASSIVE hole in your SQL that will get you completely hacked. YOU MUST USE
mysql_real_escape_string()
!!!! Like this:$sql = "INSERT INTO members (username, password, name, last_name, company, salt)VALUES('" . mysql_real_escape_string($username) . "', '" . mysql_real_escape_string($password) . "', '" . mysql_real_escape_string($name) . "', '" . mysql_real_escape_string($last_name) . "', '" . mysql_real_escape_string($company) . "', '$salt')";
To check if the record exists first try a
SELECT
:$sql = "SELECT COUNT(*) num FROM members WHERE username = '" . mysql_real_escape_string($username) . "'"; $result = mysql_query($sql) or die('error'); $row = mysql_fetch_assoc($result); if($row['num']) { $errMsg = 'Username exists'; }
Alternative:
$sql = "SELECT * FROM members WHERE username = '" . mysql_real_escape_string($username) . "'";
$result = mysql_query($sql) or die('error');
$row = mysql_fetch_assoc($result);
if(mysql_num_rows($result)) {
$errMsg = 'Username exists';
}
The second version gives you the row if you need it, not just a count.
//If anything is empty write an error.
if(empty($_POST['username'])){
$errMsg = "Du skal udfylde brugernavn.";
}
elseif(empty($_POST['password'])){
$errMsg = "Du skal udfylde password.";
}
elseif(empty($_POST['name'])){
$errMsg = "Du skal udfylde navn.";
}
elseif(empty($_POST['last_name'])){
$errMsg = "Du skal udfylde efternavn.";
}
elseif(empty($_POST['company'])){
$errMsg = "Du skal udfylde firma.";
} else {
$sql = (" SELECT * FROM users WHERE username ='.$username.'")
$res = mysql_query($sql) ;
while ($row = mysql_fetch_array($res) ){
$errMsg = "Your error message";
exit();
}
$sql = ("INSERT INTO members (username, password, name, last_name, company, salt)VALUES('$username', '$password', '$name', '$last_name', '$company', '$salt')")or die(mysql_error());
if(mysql_query($sql))
echo "Du er oprettet som profil.";
}//End if empty else
I also took out the surrounding if
- if it were to execute the then
, then no error would of been displayed, because everything was set
You will have to look it up.
$sSelect = "SELECT FROM members WHERE username = ".$sUserName." LIMIT 1";
$rResult = mysql_query($sSelect);
if (mysql_num_rows($rResult) > 0) {
echo 'error, it exists!';
}
精彩评论