0

What is wrong with this signup code?

process.php:

<?php

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("Cannot connect to server. Try again later."); 
mysql_select_db("$db_name")or die("Cannot connect to the Website. Try again later.");


function insert() {
//VARS from form
$username=$_POST['username'];
$password=$_POST['password'];
$email=$_POST['email'];
$encrypt=md5($password);
$tbl_name="members";
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password, email)VALUES('$username', '$encrypt', '$email')";
$result=mysql_query($sql);
};

//Name
$name = $_POST['username'];
$query = "select username from $tbl_name where username='$name';"; 
$resulti = mysql_query($query) or die(mysql_error()); 
  if ($resulti == $query) {
echo "Sorry! That username is already taken!";
echo "<br />";
echo "<a href='website.com/signup.php'>Go Back</a>";
} else {
//Insert 'username'
insert();
echo "You are now a member!";
echo "<br />";
echo "<a href='website.com/login/login.php'>Go to login page</a>";
}


// close connection 
mysql_close();
?>
<html>
<style type="text/css">
body
{
background-color:#16D0F5;
}
</style>
<body>




</body>  

signup.php:

<html>
<meta name="viewport" content="width=device-width" /><script src="http://code.jquery.com/jquery-1.7.1.min.js"></script><script>did = 0;</script>
<head><center><img src="http://www.aphpsite.comuv.com/Login/header-logo.gif" /></center></head>
<title>Join Fun Chat</title>
<body>
<style type="text/css">
body
{
background-color:#16D0F5;
}
img
{
background-color:#3BED74;
}
tbody
{
background-color:#FFFFFF;
}
#back
{
background-color:#FF0000;
}
#footer
{
background-color:#1633F0;
color:#FFFFFF;
}
</style>
<br />
<br />
<br />
<br />
<br />
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tbody>
<tr>
<td><form name="form1" method="post" action="process.php">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<div id="Back">
<center><a href="loginpage.php">Go to the login page</a></center>
</div>
<td colspan="3"><strong>Sign-up below: </strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>Email</td>
<td>:</td>
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form>
</tbody>
</td>
</tr>
</table>
<br />
<br />
<br />
<div id="footer">
<center><b>Copyright stuff</b></center>
</div>
</body>
</html>

When I execute this on my server, it says "You are now a member" even though the username is in use by someone else. Help?

2
Contributors
1
Reply
8
Views
5 Years
Discussion Span
Last Post by diafol
0

You MUST clean your input - this is very insecure, try something like mysql_real_escape_string()

$query = "select username from $tbl_name where username='$name';"; 
$resulti = mysql_query($query) or die(mysql_error()); 
if ($resulti) {
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.