MichaelMackey Posted June 3, 2008 Share Posted June 3, 2008 I've been having a bit of trouble thinking this one through. So I have my information pages set up so that javascript does the validation, then the form submits. But in order to check the login name I need a query (is that doable in Javascript?). Right now my best option looks like submitting the form, validating the login, then if it doesn't work I fill in the fields again and give an error message. But that seems like a lot of extra processing for just a single validation check. Edit: Sorry I guess I should clarify. I'm checking the login name for duplicates as the user is being created. Is there an easier way to do this? Thanks for any replies. Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted June 3, 2008 Share Posted June 3, 2008 this is what I use <?php //check that the username does not already exist $q = $db->query("SELECT username FROM users WHERE username = '$_POST[username]'"); if ($q->numrows() > 0 ){ $errors[] = "Your username is already in use, please choose another"; } ?> it is all php but it does the job perfectly I use peardb so my query structure is a little weird but i know that $q->numrows() is the equivalent of mysql_num_rows hope that helps Quote Link to comment Share on other sites More sharing options...
MichaelMackey Posted June 3, 2008 Author Share Posted June 3, 2008 Thats interesting, will get rid a few lines from what I have right now, thanks. But that still requires a submit of the form as far as I understand, as well as repopulating the previously filled in fields. I guess with the way JS and PhP seem to work together this is the best I can hope for for now though. Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted June 3, 2008 Share Posted June 3, 2008 why do you need javascript NOTE: i do not know javascript so really dumb it down for me i would be happy to post my user creation page in its entirety if you want, and it is all php Quote Link to comment Share on other sites More sharing options...
chronister Posted June 3, 2008 Share Posted June 3, 2008 Don't rely on javascript for anything security related. If you need to validate, javascript can save a page refresh, but it cannot be relied upon. Any form that relies on JS only, can be broken with about 4 mouse clicks to turn JS off in Firefox. I personally don't even use Javascript hardly at all. I can almost write a line or 2, but most anything I need JS for I find a pre-made JS script that I can copy & paste. this is what I use <?php //check that the username does not already exist $q = $db->query("SELECT username FROM users WHERE username = '$_POST[username]'"); if ($q->numrows() > 0 ){ $errors[] = "Your username is already in use, please choose another"; } ?> it is all php but it does the job perfectly I use peardb so my query structure is a little weird but i know that $q->numrows() is the equivalent of mysql_num_rows hope that helps This is not going to help the original poster 1 bit as this is a call to a PHP class and you have not posted the class definition. Also it is BAD to use a raw $_POST var in the query, as it can be used for injection attacks. The query you would want to use is something like this.... <?php $name2check = addslashes($_POST['username_field']); $query ="SELECT * FROM users WHERE username = '$name2check'" $results = msyql_query($query); if(mysql_num_rows($results) > 0) { echo 'Username already taken'; } else { // do some processing here } ?> Nate Quote Link to comment Share on other sites More sharing options...
Wolphie Posted June 4, 2008 Share Posted June 4, 2008 Also bear strongly in mind that javascript can be altered easily, which makes way for major security holes. Quote Link to comment Share on other sites More sharing options...
Lodius2000 Posted June 4, 2008 Share Posted June 4, 2008 This is not going to help the original poster 1 bit as this is a call to a PHP class and you have not posted the class definition. Also it is BAD to use a raw $_POST var in the query, as it can be used for injection attacks. The query you would want to use is something like this.... as I said "I use peardb so my query structure is a little weird but i know that $q->numrows() is the equivalent of mysql_num_rows" peardb is a database abstraction layer, it has dozens of objects, perhaps I wasnt clear enough but when I said "my query structure is a little weird," I meant, because of peardb I do not use normal php mysql functions. but I did offer an equivalency for one of the objects ie $q->numrows() is the equivalent of mysql_num_rows. also, nowhere did I claim that this is a secure script chronister: while appreciate your input on my code, using a tone that makes you sound like less of a twerp would be appreciated in the future you crossed the line from constructive advice about a security threat to being a nag, lets try to keep it all constructive because after all MichaelMackey did reply that he thought my post was interesting, and suggested that it would streamline his process thats all i got Quote Link to comment Share on other sites More sharing options...
chronister Posted June 4, 2008 Share Posted June 4, 2008 @Lodius2000 I was not trying to insult you or your code. I did not catch the peardb part, so sorry. The part about using a raw $_POST was not intended for you, but as advice to the original poster. <snip> Quote Link to comment Share on other sites More sharing options...
Wolphie Posted June 4, 2008 Share Posted June 4, 2008 Now now ladies, chronister: That was not necessary. He clearly stated that the structure of his code is different than that of native PHP. However, if you want to argue over security. Add slashes will not do a damn thing, since the preferred method is to strip slashes from all database input. My recommendation is to use mysql_real_escape_string() for everything that is being inserted into the database. Although this does not explicitly prevent SQL injections, it helps. If you want real tight security, use form validation, regular expressions and escaping/removing all HTML elements from inputs before being inserted into the database. This can help to prevent cross site scripting. <?php $myVal = mysql_real_escape_string(htmlspecialchars(htmlentities($_POST['myData']))); $sql = sprintf("SELECT COUNT(`username`) FROM `db_name` . `table_name` WHERE `username` = '%s'", $myVal); $res = mysql_query($sql) or die('<strong>MySQL Error: </strong>' . mysql_error()); if($res > 0) print 'Username already in use!'; ?> Quote Link to comment Share on other sites More sharing options...
chronister Posted June 4, 2008 Share Posted June 4, 2008 hahaha... got my slashes functions mixed up I guess. Extremely tired so things are not settling in my head properly (as if they ever do ) I was always under the impression that addslashes is for protecting against attacks as from my understanding a mysql injection attack would do something like entering this into a username box .'OR 1=1'; Which would concatenate the previous string and append the OR clause thereby making the query always return true possibly giving you information your not supposed to have. So then addslashes would escape this extra ' making the OR clause not part of the query. from php.net http://us3.php.net/addslashes An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. If I am mistaken then please let me know. I do know that mysql_real_escape_string() is the preferred way, but a db connection has to be initialized before it will work. Nate Quote Link to comment Share on other sites More sharing options...
Wolphie Posted June 4, 2008 Share Posted June 4, 2008 mysql_real_escape_string() should implicity do that for you. However I could be mistaken, I often am, although I do know that stripslashes() is often used if the get_magic_quotes_gpc() is switched on, which escapes data (same as addslashes()). I know that's what I do. <?php function sanitize($str) { // Secure database inputs $str = (get_magic_quotes_gpc()) ? stripslashes($str) : $str; $str = mysql_real_escape_string(htmlspecialchars(htmlentities($str))); } ?> Quote Link to comment Share on other sites More sharing options...
haku Posted June 4, 2008 Share Posted June 4, 2008 To go back to the original question, if you want to do this without reloading the page, you will have to use Ajax, which is not easy javascripting at all (though it is not necessarily that hard either). Basically, you have to set up javascript to watch the input where the user is entering the username, then you have that javascript make a request in the background to a script (most likely php since you know it) that will then check too see if the username exists. This script sends a reply back to the javascript, which then reacts accordingly to let the username know if the username is already in use. This should only be used in combination with a php solution that checks the username even if javascript is turned off. Quote Link to comment Share on other sites More sharing options...
MichaelMackey Posted June 4, 2008 Author Share Posted June 4, 2008 Ok thanks for the help, theres some interesting things in this thread I only picked up PhP a week ago so this is a lot of learning:) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.