I am building a php page that registers a user on my site. Part of it has a button to check to see if the username has been taken or not by opening a popup window and putting the entered username in the url and php queries the database like this:

<?php

include("connDB.php");
$chk = $_GET['chk'];

$sql="select UserName from reg where UserName=$chk";
$result=mysql_query($sql,$conn);

if($chk==NULL || $chk=="") {

                        echo $chk." no username entered";

}elseif(!$result) {

	 echo $chk." Username already in Use";

}else{

	echo $chk." is available";
}
?>

this page is opened in the popup window. The problem is that even if i type a username that is not in the database it is still coming back as user not available, ie meaning that it is in the database.

the database is actually empty???

    try:

    
    <?php
    
    include("connDB.php");
    $chk = $_GET['chk'];
    
    if($chk=="") 
      {
       echo $chk." no username entered";
      }
    else
      {
      $sql="select UserName from reg where UserName='".$chk."' ";
      $result=mysql_query($sql,$conn) or die(mysql_error());
      }
    
    if(mysql_num_rows($result) > 0) 
      {
      echo $chk.": Username already in Use";
      }
    else
      {
       echo $chk." is available";
       }
    ?> 
    

    Note that your code suffers from the risk of sql injection, which is a serious issue, and yo ushould read up on it, before placing this online.

      Thanks, yes that makes more sense. No i have thought of injection and yes that is the next step after i get it working properly.
      Thanks for the help.

        a faster way to do that is:

        <?php
        
        include("connDB.php");
        $chk = $_GET['chk'];
        
        if(isset($chk)){
            $sql=mysql_query("SELECT UserName FROM reg WHERE UserName='$chk'", $conn);
        
        if(mysql_num_rows($sql) != 0) {
            echo "Username Already taken!";
        } else {
            echo "The Username '".$chk."' is Available!";
        }
        } else {
            echo "No username entered!";
        }
        mysql_close($conn);
        ?>
        

          actually none of these gave a valid error message if nothing was entered so i modified the first one like this:

          <?php
          
          include("connDB.php");
          $chk = $_GET['chk'];
          $sql="select UserName from reg where UserName='".$chk."' ";
          $result=mysql_query($sql,$conn) or die(mysql_error());
          
          if($chk=="" || !$result)
            {
             echo $chk." no username entered";
             exit;
            }
          
          
          if(mysql_num_rows($result) > 0)
            {
            echo $chk.": Username already in Use";
            }
          else
            {
             echo $chk." is available";
             }
          ?> 
          

          did an exit if no username entered or result is false! What do you think?

            Seems to be fine, though I'll again echo the concern regarding data sanitization to prevent SQL injection attacks.

              yes the next step is dealing with sql injection now that it is working! This post is now resoved!

                Write a Reply...