0

The code verifies that the email exist but it doesn't prevent inserting duplicates in the table. I would like to insert if it doesn't exist, and redirect to thank_you.php - Code looks like this:

<?php
if (isset($_POST['submit'])) {
    $firstName = $_POST['firstName'];
    $lastName = $_POST['lastName'];
    $username = $_POST['username'];
    $password= password_hash($_POST['password'], PASSWORD_DEFAULT);
    $country = $_POST['country'];
    $city = $_POST['city'];
    $state = $_POST['state'];
    $phone = $_POST['phone'];

    include 'connect_sql.php';

        $sql = "INSERT INTO [Sonic].[dbo].[member] ([firstName],[lastName],[UserName],[Password],[Country],[City],[State],[Phone])
        VALUES ('$firstName', '$lastName', '$username', '$password', '$country', '$city', '$state', '$phone')";

        $email = "SELECT UserName FROM [Sonic].[dbo].[member] WHERE UserName='$username'";

        $row = sqlsrv_fetch_array( $email, SQLSRV_FETCH_ASSOC);

        $stmt = sqlsrv_query( $conn, $sql );

        if( $row === false) {                 
        echo "<div id='message'> Username $username already exist</div>"; 
        }           
        else {          
        header('Location: thank_you.php');
        }
     }
?>
Jacman
  • 1,486
  • 3
  • 20
  • 32
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 20 '16 at 17:34
  • 5
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 20 '16 at 17:34
  • Check first by selecting the email address. If it exists do not do the insert. – Jay Blanchard Oct 20 '16 at 17:35
  • @JayBlanchard I thought about that, any suggestions? – Jacman Oct 20 '16 at 17:35
  • 1
    Code it up and test it? ¯\\_(ツ)_/¯ – Jay Blanchard Oct 20 '16 at 17:36
  • 1
    @JayBlanchard Thanks a lot for your suggestion, I changed the code to reflect the password_hash() – Jacman Oct 20 '16 at 17:52

0 Answers0