Page 1 of 1

registration Issue !

Posted: Sun Dec 25, 2005 7:06 pm
by saqib389
i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..

Code: Select all

//Check if username already exists... 
 $q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
   $q3 = mysql_fetch_object($q2);
   
    if($q3->username == $_POST['username']) {
	die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user

Re: registration Issue !

Posted: Sun Dec 25, 2005 7:16 pm
by Chris Corbyn
saqib389 wrote:i m unable to find it.. tat why it is happening... plz help me...
i want to stop multiple username like if "ABC" is already registered then another user cannot registered from "ABC"
i have written a code.. its looks fine but still.. its getting multiple registration..

Code: Select all

//Check if username already exists... 
 $q2 = mysql_query("SELECT * FROM `users` WHERE `username` = '".$_POST['username']."'");
   $q3 = mysql_fetch_object($q2);
   
    if($q3->username == $_POST['username']) {
	die('<BR><BR>Sorry, but the username "'.$q3->username.'" is taken, please choose another.');
}
i m checking here.. but still its getting registration with existing username
please help me out.. how can i restrict the user
Two things....

1. No need to actually pull out the username data with mysql_fetch_object() when you can just check if mysql_num_rows() is greater than 0 ;)
2. Your checks are case sensitive so this could be your loophole. MySQL isn't case sensitive (AFAIK) but PHP certainly is (the bit where you check $_POST['username'] against the result member

:D

Posted: Sun Dec 25, 2005 9:53 pm
by Jenk
SQL Injection 111!!!oneone

Try:

Code: Select all

<?php

function sqlClean ($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}

$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if ($row['num'] === 0) {
    echo "Username is available!";
} else {
    echo "Sorry, username already taken!";
}

?>

Posted: Sun Dec 25, 2005 11:58 pm
by josh
You can also make your username field a unique key in mysql, so even if somehow your script fails you will never experience the side effects of having two users with teh same username, this would be a very smart move

Posted: Mon Dec 26, 2005 8:53 am
by MaNiAC
Agreed with jshpro2.. make the field unique.

Then, what I would do...
Instead of

Code: Select all

$result = mysql_query($query);
I would do something like

Code: Select all

if( $result = mysql_query($query) ){
    header("Location: index.php");
} else {
    echo "Unable to signup.. please try again later";
}

Posted: Mon Dec 26, 2005 1:36 pm
by Jenk
maniac - mysql_query() will only return false if there is an error with the query.

Posted: Mon Dec 26, 2005 2:59 pm
by MaNiAC
Since the field in the table is unique... it will return an error

Posted: Mon Dec 26, 2005 3:13 pm
by Jenk
It's not a good idea to trust it upon the RDMS entirely.

Posted: Mon Dec 26, 2005 4:56 pm
by josh
Agreed, check the count on the table, the unique key is there as a backup (and I also think it provides some other benefit over "plain" indexes/. dunno)..

anyways

Code: Select all

$result = mysql_query($query)
will also return true :wink: change the "=" to "=="... just thought id point out that typo so the OP doesn't copy paste it into his code

Posted: Mon Dec 26, 2005 5:14 pm
by John Cartwright
It is actually valid.. although I don't consider it best practice

Code: Select all

if ($someVar = someFunction()) {
    var_dump($someVar); //returns bool true
}

Posted: Mon Dec 26, 2005 5:44 pm
by josh
wasn't even paying attention to the mysql_query part of it :lol:

Posted: Mon Dec 26, 2005 8:13 pm
by blacksnday
Jenk wrote:SQL Injection 111!!!oneone

Try:

Code: Select all

<?php

function sqlClean ($string)
{
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}

$query = "SELECT COUNT(*) AS `num` FROM `users` WHERE `username` = '" . sqlClean($_POST['username']) . "'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if ($row['num'] === 0) {
    echo "Username is available!";
} else {
    echo "Sorry, username already taken!";
}

?>
Glad I saw that!
I was looking for a way to create a filtering function and came across this
which then opened my eyes with great pleasure as I can see how to
use this as the starting point for filtering :P