Stopping duplicate registrations?

[Dark57]

Ok so for some reason my code is allowing duplicate entries to be submitted and even blank entries. I'm not sure why, its like its skipping the entire checking process and going straight to entering it into the database.  I've been fiddling with it for a day or two, trying different things and this is what I have right now, this set of code comes after it checks to see if the input fields are empty.  Can anyone see anything wrong with this?

 

	//If not empty, compare emails to database

$sql = "SELECT COUNT(*) FROM mytable WHERE email = '$email'";
$result = mysql_query($sql);

if($result)
{
    if(mysql_num_rows($result) == 1)
    {
        $count = (int)mysql_result($result, 0, 0);
        if($count > 0)
        {
        	$_SESSION['emailfail']=1;
             header("location:register_fail.php");
        }
    }
}

$sql = "SELECT COUNT(*) FROM mytable WHERE username = '$username'";
$result = mysql_query($sql);

if($result)
{
	if(mysql_num_rows($result) == 1)
    {
        $count = (int)mysql_result($result, 0, 0);
        if($count > 0)
        {
        	$_SESSION['usernamefail']=1;
             header("location:register_fail.php");
        }
    }
}

else
{
//If emails arent duplicates, write to file.
// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$email = stripslashes($email);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = mysql_real_escape_string($email);
$password = md5($password);
$register="INSERT INTO $tbl_name (username, password, email)
VALUES
('$username','$password','$email')";

if (!mysql_query($register,$con))
  {
  die('Error: ' . mysql_error());
  }
header("location:register_success.php");
}

[trq]

You need to call exit after any calls to header to prevent the script from continuing to execute.

 

[ot]

This piece of logic might also want looking at.

$password = mysql_real_escape_string($password);
$password = mysql_real_escape_string($email);
$password = md5($password);

[/ot]

[Dark57]

So after each header() I should put exit();?  That won't affect the rest of the script from running correct?

[ddubs]

Having the statements in if()'s is fine, have you tried echoing out the data you are "if'ing" to see what's actually in it? Have you tested your queries to verify they return the proper results you are expecting?

[PFMaBiSmAd]

Also, your else{} clause that contains the INSERT query will be executed when the query that is testing the username fails due to an error in the query (i.e. $result is false), so I would guess that there is some problem with your database server or the query has a problem with the table or column name.

 

Both of the if($result) tests should have an else{} clause that handles your error reporting for when the queries fail. For debugging purposes, you could echo mysql_error() in the else{} code to determine why the query is failing.

[Dark57]

Hrm, well I changed something and now I can't get a successful login.  Now it always fails, I will have to play with it some more tomorrow.

[trq]

Hrm, well I changed something and now I can't get a successful login.  Now it always fails, I will have to play with it some more tomorrow.

 

Likely because of the password logic I pointed out originally.

[Dark57]

No I mean registration success.  I changed the $password = mysql_real_escape_string($email); to $email = mysql_real_escape_string($email);

 

Now every time I try to register any name it says I can't complete it for every reason I told it to detect.

[litebearer]

Psuedo code...

 

$t_user = sanitized user name from form

$t_emal = sanitized email from form

 

querys = select * from table where username = '$t_user' OR email = '$t_email'

 

$num_records = count of querys results

 

if $num_records >0  send back to form page

 

else enter data in table and move to login success page

 

<?PHP
session_start(); 

/*
check to see if form submitted
check to see if form data is present
get and sanitize the form data
connect to database
*/

$_SESSION['emailfail'] = 0;
$_SESSION['usenamefail'] = 0;

$sql = "SELECT * FROM mytable WHERE email = '$email'";
$result = mysql_query($sql);
$number=mysql_num_rows($result); 

if($number>0) {
$_SESSION['emailfail']=1;
}

$sql = "SELECT * FROM mytable WHERE username = '$usename'";
$result = mysql_query($sql);
$number=mysql_num_rows($result); 
if($number>0) {
$_SESSION['usernamefail']=1;
}

if($_SESSION['emailfail']>0 OR $_SESSION['usernamefail']>0} {
?>
<meta http-equiv="Refresh" content="0;url=register_fail.php">
<?PHP
exit();
}
/*
process and insert data into data base here then...
*/
?>
<meta http-equiv="Refresh" content="0;url=register_success.php">
<?PHP
exit();
?>

[Dark57]

litebearer, in your code I don't see where its comparing the strings entered into the form and the entries in the database.  I don't see what your code is accomplishing without this.

[litebearer]

Dark...

 

this portion

/*
check to see if form submitted
check to see if form data is present
get and sanitize the form data
connect to database*/

 

was meant for him to acutually do. He was to replace that comment with the actual code for  doing so.

 

When that is accomplished, then $email and $username will contain the values from his form page. Therefore the queries WILL check to see if either the username and/or the email are already in the database

 

(make sens or am I missing something)

[Dark57]

Oh I didn't get that part from your comment.