What's wrong with this code? PHP&MYSQL

Question

Djmann1013 0 Mr. Parker

11 Years Ago

What is wrong with this signup code?

process.php:

<?php

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("Cannot connect to server. Try again later."); 
mysql_select_db("$db_name")or die("Cannot connect to the Website. Try again later.");


function insert() {
//VARS from form
$username=$_POST['username'];
$password=$_POST['password'];
$email=$_POST['email'];
$encrypt=md5($password);
$tbl_name="members";
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, password, email)VALUES('$username', '$encrypt', '$email')";
$result=mysql_query($sql);
};

//Name
$name = $_POST['username'];
$query = "select username from $tbl_name where username='$name';"; 
$resulti = mysql_query($query) or die(mysql_error()); 
  if ($resulti == $query) {
echo "Sorry! That username is already taken!";
echo "<br />";
echo "<a href='website.com/signup.php'>Go Back</a>";
} else {
//Insert 'username'
insert();
echo "You are now a member!";
echo "<br />";
echo "<a href='website.com/login/login.php'>Go to login page</a>";
}


// close connection 
mysql_close();
?>
<html>
<style type="text/css">
body
{
background-color:#16D0F5;
}
</style>
<body>




</body>

signup.php:

<html>
<meta name="viewport" content="width=device-width" /><script src="http://code.jquery.com/jquery-1.7.1.min.js"></script><script>did = 0;</script>
<head><center><img src="http://www.aphpsite.comuv.com/Login/header-logo.gif" /></center></head>
<title>Join Fun Chat</title>
<body>
<style type="text/css">
body
{
background-color:#16D0F5;
}
img
{
background-color:#3BED74;
}
tbody
{
background-color:#FFFFFF;
}
#back
{
background-color:#FF0000;
}
#footer
{
background-color:#1633F0;
color:#FFFFFF;
}
</style>
<br />
<br />
<br />
<br />
<br />
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tbody>
<tr>
<td><form name="form1" method="post" action="process.php">
<table width="100%" border="0" cellspacing="1" cellpadding="3">
<tr>
<div id="Back">
<center><a href="loginpage.php">Go to the login page</a></center>
</div>
<td colspan="3"><strong>Sign-up below: </strong></td>
</tr>
<tr>
<td width="71">Username</td>
<td width="6">:</td>
<td width="301"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>Email</td>
<td>:</td>
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form>
</tbody>
</td>
</tr>
</table>
<br />
<br />
<br />
<div id="footer">
<center><b>Copyright stuff</b></center>
</div>
</body>
</html>

When I execute this on my server, it says "You are now a member" even though the username is in use by someone else. Help?

mysql php

2 Contributors
1 Reply
237 Views
37 Minutes Discussion Span
Latest Post 11 Years Ago Latest Post by diafol

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

diafol · Answer 1 · 2012-05-26T15:27:32+00:00

You MUST clean your input - this is very insecure, try something like mysql_real_escape_string()

$query = "select username from $tbl_name where username='$name';"; 
$resulti = mysql_query($query) or die(mysql_error()); 
if ($resulti) {