0

I am using WYSIWYG Webbuilder 8 to construct a website. Part of the website will be restricted access to registered users only. To this end I have created a MySQL database. I also have a sign-up form. When a new user wishes to sign-up I would like to have the username automatically checked against the database to make sure it doesn't already exist. I intend doing this using an AJAX function as the WYSIWYG software has this option built in. What I need to build myself and this is where I'm struggling is the validate.php that the AJAX command will go to.

I have something like this at present (please excuse my ignorance!):

<?php
$username = $_POST['data'];

// TODO: lookup username in database...
if ($username == 'user')
{
  echo "true";
}
else
{
  echo "false";
}
?>

I have no real idea if this is adequate or secure. I have been reading some scary stuff about sql injection and other black arts involving the use of forms and I'd like to avoid pitfalls if possible. Would some kind soul please have a look at my request and help me out? I'm not a programmer by any stretch of the imagination and I'm way out of my depth here. Thanks in advance for your help

Improve this question
2
  • 1
    For sure you should escape your $username using for instance mysql_real_escape_string(). I usually create my own function that checks for fraudulent content and eventually applies the mysql_real_escape_string(). Then you should only use this data into the query. Preferably using prepared statements. Commented Jan 28, 2013 at 14:45
  • 1
    @up: manual and mysql_real_escape_string: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Commented Jan 28, 2013 at 14:50

1 Answer 1

Reset to default
1

You want to use something that will handle the chatter between your application and the database for you. One of the best tools available for this today is the PDO library, specifically PDO-MySQL for your usage. It will handle escaping and SQL injection issues for you by using parameterized (prepared) statements

Here's an example of connecting to a database and issuing a query in MySQL

$db = new PDO('mysql:host=localhost;dbname=dbname;charset=UTF-8', 'username', 'password');
$statement = $db->prepare('SELECT user_id FROM users WHERE username = :username LIMIT 1');
$statement->bindValue(':username', $_POST['data']);
$statement->execute();

if (false == $userId = $statement->fetchColumn()) {
    // No matching username was found in the database
} else {
    // A matching username was found in the database
    // $userId contains the matching user ID
}

Knowing how to pass this back to your JS/AJAX integration could be dependent on what framework (if any) you are using and what format you would like that data in

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.