0

I'm working on log-in/register form for school and i've encountered a problem.

How do I give an error message if you use a username that already exists on the database (I've used the UNIQUE KEY for the usernames)

Thanks in advance for any answers :) have a nice day

<?php
    error_reporting(E_ALL & ~E_NOTICE);
    session_start();
    if ($_POST['submit']) {
        // check if passwords match
        if ($_POST['password'] == $_POST['confirmpassword']) {
            include_once("connect.php");
            $username = $dbCon->real_escape_string($_POST['username']);
            $password = ($_POST['password']); 
            $sql = "INSERT INTO members (username, password, activated) "
                    ."VALUES ('$username', '$password', '1')";

            // if registration succesful, send to user.php, if not, error message
            if ($dbCon->query($sql) === true) {
                header('Location: user.php');
                echo "Registration succesful, Welcome $username";
                exit;
            } else {
                echo "Could not register, please fill in both username and password";
            }
        } else { // if the passwords do not match
            echo "Lösenorden matchar inte!";
        }
  }
?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Mattee
  • 1
  • 1
  • Just do a `SELECT * ...` and then check with a `foreach` if the user who was inputed is the same as one in the array. – WasteD Feb 27 '17 at 15:25
  • 3
    Who can make a `SELECT COUNT(*) FROM YourTableName WHERE Username = 'username'`, if 1 is return, the username exists. – Thomas Rollet Feb 27 '17 at 15:25
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Feb 27 '17 at 15:25
  • 1
    And what about: *Dont SAVE passwords as PLAIN text in the Database!!!* – JustOnUnderMillions Feb 27 '17 at 15:26
  • 2
    Or look at the error code from the INSERT and if it is the duplicate entry error, give appropriate error message – RiggsFolly Feb 27 '17 at 15:26
  • 1
    PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Feb 27 '17 at 15:27
  • 1
    fyi @WasteD 's comment is sarcasm. Don't actually implement it. – Dimi Feb 27 '17 at 15:40
  • @ThomasRollet it is not necessary to perform a select to check for the existence of the username. Relying on the unique index is enough, see RiggsFolly's comment. – Shadow Feb 27 '17 at 15:47
  • @RiggsFolly I found a dupe target for this question – Shadow Feb 27 '17 at 15:49
  • @Shadow Not the greatest answer but it will do – RiggsFolly Feb 27 '17 at 15:50
  • @Dimi Actually it wasn't xD it was just the first thing which came in my head I didn't think of the `COUNT` variant ... – WasteD Feb 27 '17 at 15:51

0 Answers0