user registration php

<?php
include"include/connection.php";

$checkusername=mysql_query("SELECT * FROM employer WHERE eusername='$username'");
if (mysql_num_rows($checkusername)==1)
{
  echo "username al开发者_Python百科ready exist";
}
else
{
  $query = "insert into employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry) values ('".$_POST['first_name']."','".$_POST['last_name']."','".$_POST['gender']."','".$_POST['email']."','".$_POST['username']."','".$_POST['password']."','".$_POST['address']."','".$_POST['phone']."','".$_POST['city']."','".$_POST['country']."')";
  $result = mysql_query($query) or die (mysql_error());
  echo " Thanks for registration";
}
?>

This is my code for inserting registration form data into a database. This code adds the data but also gives a parse error, but does not give the error if the username already exists.

Notice: Undefined variable: username in C:\Program Files\EasyPHP5.3.0\www\register_hirer2.php on line 6
Thanks for registration 

line 6 is:

 $checkusername=mysql_query("SELECT * FROM employer WHERE eusername='$username'");

Well, your $username is undefined indeed.

Most probably you want to use $_POST['username'].

And of course this obligatory XKCD comic:

If the "data source" is an html form (supposedly using method="post") you have to use $_POST['username'] when register_globals is set to off (which is the default since ...ages). see http://docs.php.net/security.globals
Also have a read of http://php.net/manual/en/security.database.sql-injection.php

<?php
include"include/connection.php";

$query = "SELECT
    *
FROM
    employer
WHERE
    eusername='". mysql_real_escape_string($username). "'
";
$checkusername=mysql_query($query) or die(mysql_error());
if (mysql_num_rows($checkusername)==1)
{
  echo "username already exist";
}
else
{
  $query = "INSERT INTO employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry) values (". same mysql_real_escape_string() thing here for each parameter .")";
  $result = mysql_query($query) or die (mysql_error());
  echo " Thanks for registration";
}
?>

You can also use prepared statements. This way you don't need/can't forget using an escaping function.

edit and btw: you don't need the SELECT before the INSERT in order to make the username unique. Actually it will make things even harder since now you have to deal with race conditions. You'd have to lock the table between those two queries.
If you add an unique index for the username in your table MySQL will not allow the insertion of a doublet but instead return a specific error code which your script can fetch and handle without the need of dealing with race conditions.

define('ER_DUP_ENTRY', 1062);
$mysql = mysql_connect('..', '..', '..');
mysql_select_db('..', $mysql) or die(mysql_error($mysql));

$fields = array(
  'efname'=>'first_name',
  'elname'=>'last_name',
  'egender'=>'gender',
  'eemail'=>'email',
  'eusername'=>'username',
  'epwd'=>'password',
  'eadd'=>'address',
  'ephone'=>'phone',
  'ecity'=>'city',
  'ecountry'=>'country'
);

$sqlparams = array();
foreach($fields as $sql=>$form) {
  if ( !isset($_POST[$form]) ) {
    die('missing post parameter '. $form);
  }
  $sqlparams[$sql] = "'".mysql_real_escape_string($_POST[$form], $mysql)."'";
}  

$query = '
  INSERT INTO
    employer
    '. join(', ', array_keys($sqlparams)) .'
  VALUES
  ('.join(',', $sqlparams).')
';

// table:employer has been defined with "unique key idxName (eusername)"
$result = mysql_query($query, $mysql);
if ( false!==$result ) {
  echo " Thanks for registration";
}
else if ( ER_DUP_ENTRY===mysql_errno($mysql) ) {
  echo 'username already exists';
}
else {
  echo 'an error occurred';
}

That is because you do not define $username anywhere. It looks as though you want to use $_POST['username']

mysql_query("SELECT * FROM employer WHERE eusername='{$_POST['username']}'");

Also, your code is vulnerable to a SQL Injection

You never define $usernameanywhere, so it gives that error because you are trying to use a variable that it doesn't have a value for.

This is most likely because you've not defined the '$username' variable. I presume that you're relying on this being populated from the incoming GET/POST data (most likely via the depreciated register_globals) which is bad practice.

As such, you'll need to either populate $username via $_POST or $_GET.

More importantly, you should update the insert query to escape the incoming 'untrusted' data using mysql_real_escape_string (e.g.: mysql_real_escape_string($_POST['username']), etc.)

As @Yacoby said your code is vulnerable to an SQL Injection to prevent it you can use mysqli or PDO , if you would like to use mysqli use the following code:

<?php
include"include/connection.php";

$query = "SELECT
    *
FROM
    employer
WHERE
    eusername='". mysql_real_escape_string($username). "'
";
$checkusername=mysql_query($query) or die(mysql_error());
if (mysql_num_rows($checkusername)==1)
{
  echo "username already exist";
}
else
{
  $query = $conn->prepare("INSERT INTO employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry)) values ( ? , ? , ? , ? , ? , ? , ? , ? , ? , ?)"; // preparing the insert
$query->bind_param("ssssssssss" , $variable1 , $variable2 , $variable3 , $variable4 , $variable5 , $variable6 , $variable7 , $variable8 , $variable9 , $variable10); // binding parameters
  $query->execute(); // sending the parameter values 
  $query->close(); // closing the query
  $conn->close(); // closing the connection 
  if ($query) { // checking if the query has been executed with no errors
  echo " Thanks for registration";
 }
}
?>

BE SURE TO CHANGE THE $conn AND variables to whatever you want!