registration Issue !

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
saqib389
Forum Commoner
Posts: 44
Joined: Wed Nov 30, 2005 2:13 am

registration Issue !

Post by saqib389 »

i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..

Code: Select all

//Check if username already exists... 
 $q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
   $q3 = mysql_fetch_object($q2);
   
    if($q3->username == $_POST['username']) {
	die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: registration Issue !

Post by Chris Corbyn »

saqib389 wrote:i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..

Code: Select all

//Check if username already exists... 
 $q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
   $q3 = mysql_fetch_object($q2);
   
    if($q3->username == $_POST['username']) {
	die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user
Two things....

1. No need to actually pull out the username data with mysql_fetch_object() when you can just check if mysql_num_rows() is greater than 0 ;)
2. Your checks are case sensitive so this could be your loophole. MySQL isn't case sensitive (AFAIK) but PHP certainly is (the bit where you check $_POST['username'] against the result member

:D
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

SQL Injection 111!!!oneone

Try:

Code: Select all

<?php

function sqlClean ($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}

$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if ($row['num'] === 0) {
    echo "Username is available!";
} else {
    echo "Sorry, username already taken!";
}

?>
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

You can also make your username field a unique key in mysql, so even if somehow your script fails you will never experience the side effects of having two users with teh same username, this would be a very smart move
MaNiAC
Forum Newbie
Posts: 20
Joined: Fri Dec 23, 2005 4:20 am

Post by MaNiAC »

Agreed with jshpro2.. make the field unique.

Then, what I would do...
Instead of

Code: Select all

$result = mysql_query($query);
I would do something like

Code: Select all

if( $result = mysql_query($query) ){
    header("Location: index.php");
} else {
    echo "Unable to signup.. please try again later";
}
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

maniac - mysql_query() will only return false if there is an error with the query.
MaNiAC
Forum Newbie
Posts: 20
Joined: Fri Dec 23, 2005 4:20 am

Post by MaNiAC »

Since the field in the table is unique... it will return an error
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

It's not a good idea to trust it upon the RDMS entirely.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Agreed, check the count on the table, the unique key is there as a backup (and I also think it provides some other benefit over "plain" indexes/. dunno)..

anyways

Code: Select all

$result = mysql_query($query)
will also return true :wink: change the "=" to "=="... just thought id point out that typo so the OP doesn't copy paste it into his code
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

It is actually valid.. although I don't consider it best practice

Code: Select all

if ($someVar = someFunction()) {
    var_dump($someVar); //returns bool true
}
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

wasn't even paying attention to the mysql_query part of it :lol:
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

Jenk wrote:SQL Injection 111!!!oneone

Try:

Code: Select all

<?php

function sqlClean ($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}

$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if ($row['num'] === 0) {
    echo "Username is available!";
} else {
    echo "Sorry, username already taken!";
}

?>
Glad I saw that!
I was looking for a way to create a filtering function and came across this
which then opened my eyes with great pleasure as I can see how to
use this as the starting point for filtering :P
Post Reply