Mysql testing to see if an entry already exists

Question

I am building a login system for my website using mysql and php. I want to make sure that to users dont have the same username.

<?php
$servername = "xxxxxxxx";
$username = "xxxxxxx";
$password = "xxxxxxx";
$dbname = "users";


// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

//pulls variables from the html form
$username=$_POST['username'];
$password=$_POST['password'];
$email=$_POST['email'];
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$date=$POST['date'];

//inserts 
$sql = "INSERT INTO users (username, password, email, fname, lname, birthday)
VALUES ('$username', '$password', '$email', '$fname', '$lname', '$date')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>

I want to make it so if someone tries to create an account with the username "test123" and "test123" was already being used then a page would come up telling that person to choose a different username.

OK, so `SELECT username FROM users WHERE username=$username` and see if it returns anything. But DO NOT use the $_POST vars in your query, use prepared statements. — AbraCadaver, Apr 28 '16 at 20:31
FYI, your code is vulnerable to [SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — mister martin, Apr 28 '16 at 20:32
Alternately, put a unique key on the username field, then use `INSERT IGNORE` and check the affected rows after the query execution. If it is 0 the insert was cancelled because the entry already exists. BUT step 0 is to stop putting $_POST var directly in your query — Dan, Apr 28 '16 at 20:34
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 28 '16 at 20:34
**Do not store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Apr 28 '16 at 20:34
@AbraCadaver How would I turn this into an IF ELSE statement — Prof101, Apr 28 '16 at 20:35
@JayBlanchard this is just a test website for learning purposes so Im not worried about security. But Thank you for your coment — Prof101, Apr 28 '16 at 20:37
`if (` http://php.net/manual/en/mysqli-result.num-rows.php `) { echo "username exists"; }` — AbraCadaver, Apr 28 '16 at 20:37
I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."*. If you don't have time to do it right the first time, when will you find the time to add it later? — Jay Blanchard, Apr 28 '16 at 20:40

Mysql testing to see if an entry already exists

0 Answers0