0

I'd like to make an if statement that checks if the username, already exists in the MYSQL database. I tried some different stuff, but i cant make it work. Every time I test it in my browser I get a notice

Notice: Undefined index: username in etc.

I am confused if it has anything to do with the $result variable or the $check variable or neither.

Here is the HTML form and the PHP script. https://gist.github.com/anonymous/9704354

Thank you and have a nice weekend!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user3041854
  • 18
  • 2
  • `}elseif($_POST['username'] == $check['username']){` - You don't have a field called `username` in your form. Do you mean `$_POST[create_user]`? – Mark Baker Mar 22 '14 at 10:41
  • 2
    Your code is vulnerable to SQL injection. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174) – Madara's Ghost Mar 22 '14 at 10:42

2 Answers2

4

There are a few things that are wrong in your code.

First, never place variables directly in SQL queries, thats how SQL injections happen. Start using PDO or another library for your MYSQL.

The reason you are getting an undefined notice is because of this line.

 $result = mysql_query("SELECT * FROM users WHERE username = '$_POST[create_user]'");

It should be this without fixing the huge SQL Injection flaw

 $result = mysql_query("SELECT * FROM users WHERE username = '{$_POST['create_user']}'");

Also you should add a "LIMIT 1" to the end of the select query to speed things up. No need looking for more than one user.

You can verify the user by just checking for row_count instead of checking the text values. Since MySQL is not case sensitive for some fields, username "AAAaaa" will be equal to "aaaAAA". If you check row count instead, you will be sure that no usernames are in the database of that text. Or if you want to check using PHP, make sure you pass the usernames through strtolower()

When you start using PDO, the following example will help you.

$dbh = new PDO() // Set the proper variables http://us2.php.net/pdo
if(empty($_POST['create_user'])) {
   echo 'Username is Empty. Always check if POST and Get data is set';
   die();
}

$query = "SELECT * FROM `users` WHERE `username` = ? LIMIT 1;"
$data = array($_POST['create_user']);
$sth = $dbh->prepare($query);

if(!$sth->execute($data)) {
   echo 'Handle SQL Error';
   die();
}

if($sth->rowCount() == 0) {
   echo 'Unused Username';
}else{
   echo 'Used Username';
}
David
  • 4,313
  • 1
  • 21
  • 29
  • 1
    Also, no need to `SELECT *` - Why format/transmit back data you don't care about? `SELECT Id` should be sufficient. Make sure Username has a unique index – Basic Mar 22 '14 at 10:47
  • 1
    I was unsure what the structure of the database was so I kept it with *. But yes, Basic is correct, all you need to select is the `id`. – David Mar 22 '14 at 10:48
  • 1
    Another quick note, the salts you used when creating the passwords aren't really that useful. Salts should be generated on a per-user basis and not global to the site. – David Mar 22 '14 at 10:54
  • 1
    Never heard about PDO, but i will sure look more into that. Your answer was more than i expected, thanks alot! – user3041854 Mar 22 '14 at 10:57
0

This is what i've found

the $_POST['username'] should be like $_POST['create_user']

ɹɐqʞɐ zoɹǝɟ
  • 4,342
  • 3
  • 22
  • 35