Page 1 of 1
registration Issue !
Posted: Sun Dec 25, 2005 7:06 pm
by saqib389
i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..
Code: Select all
//Check if username already exists...
$q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
$q3 = mysql_fetch_object($q2);
if($q3->username == $_POST['username']) {
die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user
Re: registration Issue !
Posted: Sun Dec 25, 2005 7:16 pm
by Chris Corbyn
saqib389 wrote:i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..
Code: Select all
//Check if username already exists...
$q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
$q3 = mysql_fetch_object($q2);
if($q3->username == $_POST['username']) {
die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user
Two things....
1. No need to actually pull out the username data with mysql_fetch_object() when you can just check if mysql_num_rows() is greater than 0

2. Your checks are case sensitive so this could be your loophole. MySQL isn't case sensitive (AFAIK) but PHP certainly is (the bit where you check $_POST['username'] against the result member

Posted: Sun Dec 25, 2005 9:53 pm
by Jenk
SQL Injection 111!!!oneone
Try:
Code: Select all
<?php
function sqlClean ($string)
{
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return mysql_real_escape_string($string);
}
$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
if ($row['num'] === 0) {
echo "Username is available!";
} else {
echo "Sorry, username already taken!";
}
?>
Posted: Sun Dec 25, 2005 11:58 pm
by josh
You can also make your username field a unique key in mysql, so even if somehow your script fails you will never experience the side effects of having two users with teh same username, this would be a very smart move
Posted: Mon Dec 26, 2005 8:53 am
by MaNiAC
Agreed with jshpro2.. make the field unique.
Then, what I would do...
Instead of
I would do something like
Code: Select all
if( $result = mysql_query($query) ){
header("Location: index.php");
} else {
echo "Unable to signup.. please try again later";
}
Posted: Mon Dec 26, 2005 1:36 pm
by Jenk
maniac - mysql_query() will only return false if there is an error with the query.
Posted: Mon Dec 26, 2005 2:59 pm
by MaNiAC
Since the field in the table is unique... it will return an error
Posted: Mon Dec 26, 2005 3:13 pm
by Jenk
It's not a good idea to trust it upon the RDMS entirely.
Posted: Mon Dec 26, 2005 4:56 pm
by josh
Agreed, check the count on the table, the unique key is there as a backup (and I also think it provides some other benefit over "plain" indexes/. dunno)..
anyways
will also return true

change the "=" to "=="... just thought id point out that typo so the OP doesn't copy paste it into his code
Posted: Mon Dec 26, 2005 5:14 pm
by John Cartwright
It is actually valid.. although I don't consider it best practice
Code: Select all
if ($someVar = someFunction()) {
var_dump($someVar); //returns bool true
}
Posted: Mon Dec 26, 2005 5:44 pm
by josh
wasn't even paying attention to the mysql_query part of it

Posted: Mon Dec 26, 2005 8:13 pm
by blacksnday
Jenk wrote:SQL Injection 111!!!oneone
Try:
Code: Select all
<?php
function sqlClean ($string)
{
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return mysql_real_escape_string($string);
}
$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
if ($row['num'] === 0) {
echo "Username is available!";
} else {
echo "Sorry, username already taken!";
}
?>
Glad I saw that!
I was looking for a way to create a filtering function and came across this
which then opened my eyes with great pleasure as I can see how to
use this as the starting point for filtering
