/    Sign up×
Community /Pin to ProfileBookmark

Checking if something is already in a database

Copy linkTweet thisAlerts:
Dec 31.2003

I’m trying to create a member registration page. I need it to check to see if a username is taken already. So i thought I could do this

[code=php]
$username = $_REQUEST[‘username’];

$query = “select * from member_list where username='”.$username.”‘”;

$result = mysql_query($query);

[/code]

then, if there is no entry in the database, then I thought it would return a false value for $result. Problem is, it returns a true value. And if I do this

[code=php]
$row=mysql_fetch_array($result);

$name = stripslashes($row[‘username’]);

echo $name;

[/code]

then it just keeps echoing the value of $username, whatever I put it, and whether or not it’s in the database!? I don’t understand it….surely if the name specified in $username is NOT in the database, then the MYSQL query should not return anything?

Is there another way to find if something already exists in a database? Or will I have to use a for loop to check the value of every entry in teh database against the username?

Thanks

Toby

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@pyroDec 31.2003 — Try this:

[code=php]$username = addslashes($_REQUEST['username']); # addslashes() added to keep users from being able to run DB queries - which would obviously be a security issue
$query = "SELECT * FROM member_list WHERE username='$username'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0) {
# no rows were found, go ahead and insert them
}
else {
# existing user...
}[/code]
Copy linkTweet thisAlerts:
@tobyw_1969authorDec 31.2003 — Thanks Pyro - you seem to be single-handedly helping me to build my entire site! ?

I don't understand the addslashes thing though. What can people do if I don't add this? And what does adding it do? In my book it just says it escapes characters like / and &.

It's not a very 'risky' site - just a simple message board, but I'm obviously interested to make sure people can't hack in..
Copy linkTweet thisAlerts:
@pyroDec 31.2003 — The reason you want to use [URL=http://us4.php.net/addslashes]addslashes()[/URL] is because it will add a (thus escaping) the ' and the ". If you do not do that, I could enter something like this for my username:

' OR name LIKE '%

Which would allow me to grab data other than what you intended me to get. Obviously this is just one example of what could be done... Depending on the server, a malicious user could wipe out the entire DB!
×

Success!

Help @tobyw_1969 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...