My first registration script problem...., Cant tell if username is taken. Options

[R1cky_Da_Man1982]

Hi!

This is my first real php script and I guess its really basic!
but I have tried lots of things to make it so the script checks the DB to see if the username entered in the registration form is taken....
such as if else statements
here is what ive got so far

CODE

<?php
$date = date('jS M Y');
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("login", $con);


$sql="INSERT INTO members (username, password, email, registerdate)
VALUES
('$_POST[username]','$_POST[password]','$_POST[email]','$date')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con)
?>

like i said I tried adding

CODE

$SQL="SELECT * FROM members WHERE username = '$_POST[username]'
if (!$SQL)
echo "username is taken, please try another one"

else

then executed the insert part but all it did was skip straight to the insert part even if the username matches.
is there a good way of doing this?
as I say im new to php and still learning the basic techniques

edit:
Forgot to mention that the actual form sending the data is in a seperate page.

This post has been edited by R1cky_Da_Man1982: Mar 2 2012, 03:42 PM

[Brian Chandler]

Hi!

This is my first real php script and I guess its really basic!
but I have tried lots of things to make it so the script checks the DB to see if the username entered in the registration form is taken....
such as if else statements

This really is not how programming works. Just trying random things here and there is as likely to get you a working program as messing around in a junkyard is to build you a (working!) 747.

You have to debug your efforts tiny bit by tiny bit. Can you get INSERT to work? ...test using mysqlphpadmin...

CODE

$sql="INSERT INTO members (username, password, email, registerdate)
VALUES
('$_POST[username]','$_POST[password]','$_POST[email]','$date')";

This is a *bad* way to do things. If you have $_POST variables you must first check they are what you expect. E.g. usernames perhaps must be alphanumeric. Typically you copy the $_POST['email'] (should have quotes!) to a variable $email, which you know is OK, then when you put it in an SQL query you must escape any SQL sensitive characters -- mysql_real_escape() iirc -- and look up "SQL injection"!

here is what ive got so far

like i said I tried adding

CODE

$SQL="SELECT * FROM members WHERE username = '$_POST[username]'
if (!$SQL)
echo "username is taken, please try another one"

else

If you set the variable $SQL to a string starting "SELECT...", is its value TRUE or FALSE, interpreted as a boolean (which means "inside if( )")?

[R1cky_Da_Man1982]

Thanks I think I understand what you are saying.

So I have the insert working fine.
So I sent the form info to variables.
Checked them for tags etc.

That all worked fine.

Then again I was back at checking the username.

so I decided to write this bit to check it.

CODE

$sql="SELECT * FROM members WHERE username = $user";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows >0)
echo "username taken";

but I get this error

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\Program Files\EasyPHP-5.3.9\www\signup.php on line 25

line 25 is the bit that checks if the number of rows returned is greater than 0.

surely if there isnt a match it should execute the rest of the code and if there is it should halt it?

also aswell as the error it carries on with the insert anyway.

edit:
solved the problem..
I forgot to put the ' ' around the user variable.

CODE

$sql="SELECT * FROM members WHERE username = '$user'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows >0)
echo "username taken";

This post has been edited by R1cky_Da_Man1982: Mar 4 2012, 09:40 AM

[Ephraim F. Moya]

Hi!

This is my first real php script and I guess its really basic!
but I have tried lots of things to make it so the script checks the DB to see if the username entered in the registration form is taken....
such as if else statements
here is what ive got so far

[code]<?php
$date = date('jS M Y');
$con = mysql_connect("localhost","root","");
...

Add this statement: error_reporting( -1 );

<?php
error_reporting( -1 );
$date = date('jS M Y');
$con = mysql_connect("localhost","root","");
...

This will make php display ALL error messages.
You've got alot of them.

This post has been edited by Ephraim F. Moya: Mar 4 2012, 10:41 AM

[Darin McGrew]

And do take Brian's advice and look up "SQL injection".

[R1cky_Da_Man1982]

Hey guys.

So I went back over everything...

and came up with this that seems to work exactly how I want it to....

CODE

<?php  
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
error_reporting( -1 );
$user = $_POST['username'];
$pass = $_POST['password'];
$mail = $_POST['email'];
$date = date('jS M Y');
$ulength = strlen($user);
$plength = strlen($pass);
$mlength = strlen($mail);
$user = htmlspecialchars($user);
$pass = htmlspecialchars($pass);
$mail = htmlspecialchars($mail);
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }  
if ($ulength <=3 OR $ulength >=30)
print "<center><table bgcolor=#bc003d cellspacing=2 cellpadding=4 width=450px><tr valign=middle><td bgcolor=#ffffff width=450px align=center><font color=#bc003d size=2px>the username must be between 3 and 30 characters long</font></td></tr></table></center>";

if ($plength <=8 OR $plength >=16)
print "<center><table bgcolor=#bc003d cellspacing=2 cellpadding=4 width=450px><tr valign=middle><td bgcolor=#ffffff width=450px align=center><font color=#bc003d size=2px>the password must be between 8 and 16 characters long</font></td></tr></table></center>";

if ($mlength <=3 OR $mlength >=30)
print "<center><table bgcolor=#bc003d cellspacing=2 cellpadding=4 width=450px><tr valign=middle><td bgcolor=#ffffff width=450px align=center><font color=#bc003d size=2px>the email must be between 3 and 30 characters long</font></td></tr></table></center>";

else {

mysql_select_db("users", $con);

$sql="SELECT * FROM members WHERE username = '$user'";
$result = mysql_query($sql,$con);
$num_rows = mysql_num_rows($result);
if ($num_rows > 0)

print "<center><table bgcolor=#bc003d cellspacing=2 cellpadding=4 width=450px><tr valign=middle><td bgcolor=#ffffff width=450px align=center><font color=#bc003d size=2px>the username is taken please use a differant one!</font></td></tr></table></center>";

else {

$sql="INSERT INTO members (username, password, email, registerdate)
VALUES
('$user','$pass', '$mail', '$date')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";
}
}

mysql_close($con);
}
?>

I also took the advice and looked into sql injection attacks..
Everything seems to point towards mysql_real_escape_string...

But where exactly do you implement this?

And 2 more questions I have..

Is there a way to make an imput field only allow alpha/numerical values or in the case of an email alpha/numerical with only @ and . allowed?

And the best way to completly remove html tags as htmlspecialchars only replaces them with safe values.

This post has been edited by R1cky_Da_Man1982: Mar 6 2012, 08:58 AM

[Darin McGrew]

Please see the FAQ entry How can I require that fields be filled in, or filled in correctly?

[R1cky_Da_Man1982]

Please see the FAQ entry How can I require that fields be filled in, or filled in correctly?

Thanks I will have a read of that and I am sorry for the constant silly questions I am really that new to php

Im guessing the code I have is ok as no errors are displaying with error reporting on.

Also I just found this great tutrial on validation and sanitation:
validation and sanitation tutorial
I found it really easy to understand.