mysql_num_rows() Error ??

dmacman1962

Hi All,

I am learning how to do register and login pages (both secure) for my sites and got some ideas from several users. I am getting an error when trying to validate that the username does not already exist and that there is not more than 1 name selected to try and stop any attempts at a sql injection.

Here is the code that gives me the error...

$error=NULL;
$time=time();
include('connect.php');

// get posts
$userid = $_POST['userid'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$fullname = $_POST['fullname'];
$email = $_POST['email'];

//check validity of username
$check_username=mysql_query("select userid from user where userid='".$_POST['userid']."'");

if ( mysql_num_rows($check_username) > 0) { $error .= "Sorry but that username is already being used!<br>"; }
if ($_POST['password'] != $_POST['password2']) { $error .= "Sorry but your 2 passwords did not match!<br>"; }
if ( strlen($_POST['userid']) > 15 ) { $error .= "Sorry but your username cannot be over 15 characters.<br>"; }
if ( empty( $_POST['userid']) ) { $error.= "You must choose a username!<br>"; }
if ( empty( $_POST['fullname']) ) { $error.= "You must enter your full name!<br>"; }
if ( empty( $_POST['password']) OR empty($_POST['password2']) ) { $error.= "You must fill in both password fields!<br>"; }
if ( empty( $_POST['email']) ) { $error .= "You must enter an email address!<br>"; }

if ($error == NULL)

//insert data if all went well

{

mysql_query("insert into user(userid,password,fullname,email,time) values('".$_POST['userid']."','".$_POST['password']."','".$_POST['fullname']."','".$_POST['email']."','".$time.")");
}
else { $error .= "<br>Please <a href='register.php'>try again</a>!";
}

//redirect to congrats page
echo '<META HTTP-EQUIV=\"Refresh\" CONTENT=\"5; URL=html-congrats.php\">';
?>

I cannot see the forest from the trees, so to speak, at this point.

Note, I have read dozens of method at ...
1) encrypting the password
2) authentication
3) sessions and cookies
4) stopping swl attacks

so any comments/suggestions at the above code and thought process woudl be greatly appreciated.

Thanks in advance,

Don

sapoxgn

I think you dont need to pass the $check_username var to the mysql_num_rows.. i always used it like this:

$check_username=mysql_query("select userid from user where userid='". addslashes($_POST['userid']) ."'"); 

if(mysql_affected_rows() > 0) { //your code here }

And please.. always use addslashes to anything before sending it to a query.