TalkPHP - Check Username in DB

TalkPHP (http://www.talkphp.com/forums.php)

- Advanced PHP Programming (http://www.talkphp.com/advanced-php-programming/)

- - Check Username in DB (http://www.talkphp.com/advanced-php-programming/4947-check-username-db.html)

Check Username in DB

Hi i have been surfing the web, trying to find away to show the user if the username they want is taken or not.

Was hoping to do this via Javascript

Any pointers

the field is $username

Thanks

So what you want is a field where a user can type in a name and it returns a message stating if it is taken or not? If so you will need to use ajax and a server language such as PHP. The javascript can send to and receive from the script, but the server script will have to do the actual checking.

Javascript is 100% run from the users browser and should never under any circumstances be used to access a secured database.

This might help (found from google search ajax validate if username is taken) http://jqueryfordesigners.com/using-...alidate-forms/

Do you see anything wrong with the following code, it wont allow me to login

PHP Code:


		
			
<?php

$login = "SELECT * FROM tbl_user_account WHERE user_account_username = '".$username."' AND user_account_password = '".$password."'";

$result = mysql_query($login);



if (!$result)

{

header('Location: login.php?error=1');

}

else

{

$sqlupdate = "UPDATE tbl_user_account SET user_account_last_login = '".$now."', user_account_last_login_ip = '".$ip."' WHERE user_account_username ='".$username."' AND user_account_password = '".$password."'";

setcookie("logincookie", $username, time()+3600);

header('Location: profile.php'); 

}

mysql_free_result($result);

?>

Where are $username and $password set? Where does the script take you? Does it always error out or does it report a login. If it reports a sucessful login, is your cookie modified correctly?

I also see some major security issues:
1. No SQL cleaning that I can see
2. No validation, you merely stick the users username in the cookie (cookies can be created and modified by the user)

While not a critical note, you should be working with database IDs. Instead of updating where username and password is X, you need to find users by their unique database ID.

Just use JS/jQuery to access a .php file (with an attribute of ?user={username}) and then have it return the string (E.g. <span style="color:#009900;">Username is not taken!</span>) and place that in the elements .innerHTML property.

HTML Code:

<form action="" method="">

<input type="text" name="username" id="username_elm" />

<button onclick="check_username('username_elm', document.getElementById('username_elm').value);">Check Username</button>

</form>

javascript Code:

function check_username(elm, value) {
 var xhr = new XMLHttpRequest();
     xhr.open('GET', '/path/to/script.php?username=' + value, false);
     xhr.send(null);

 document.getElementById(elm).innerHTML = xhr.responseText;
return;
}

PHP Code:


		
			
<?php

$link = mysql_connect(/* Arguments... */);

$sql = 'SELECT username FROM db.users WHERE username = ' . mysql_real_escape_string($_GET['username']) . ' LIMIT 1');

$result = mysql_query($sql, $link);

if (mysql_num_rows($result) == 0) {
  echo '<span style=\'color:#009900;\'>Username is not taken!</span>';
} else {
  echo '<span style=\'color:#990000;\'>Username is taken.</span>';
}
?>

(Wow, I wrote more than I thought I was going to...)

Notes:

You would want to store the JS DOM value for the element in a variable.
You would need to check for w3c browser compatibility with the XMLHttpRequest (xhr).
You could just pass the DOM element in the JS function (faster).

Quote:

I also see some major security issues:
1. No SQL cleaning that I can see
2. No validation, you merely stick the users username in the cookie (cookies can be created and modified by the user)

Ok I have had a goodnight sleep to think about everything you said.
1. While I am not sure why I would need SQL cleaning? as I googled SQL cleaning, and got no where - so maybe you can explain.

2. I forgot to place the $username = $_POST['username']; and $password = SHA1($_POST['password']);
- Yes I am using SHA1 not MD5 the main reason is I was informed by someone in (a Big Y! company) that MD5 was able to be hacked?

As for cookies this is how it will be done.
The user will get a random 100 number string which will be saved into the DB.
If the user logs out then that Random ID number would get deleted.
The Random ID is linked to the users ID number for that session.

No two Random ID can be the same for a session, with a session lasting about 15 min if the user is idling.

Meaning I would need to set up cron job or something, to check that it has been 15min between the last timestamp and now.

Let me know your thoughts.

For the timestamped ID: Why would you not just check it on every page load? It would be easier than checking every single ID every minute (or 15, there would be overlap).

Well the idea of the 15 min is to see if it has been longer then 15min since the user has done something on the site.

If so they would have to login again.

Any thoughts.

Quote:

Originally Posted by russellharrower (Post 28421)

Ok I have had a goodnight sleep to think about everything you said.
1. While I am not sure why I would need SQL cleaning? as I googled SQL cleaning, and got no where - so maybe you can explain.

It is the foundation to basic SQL security, this is a good starting guide: http://www.tizag.com/mysqlTutorial/m...-injection.php

So if I add the following

Code:

$username = mysql_escape_string($_POST['username']);

$password = mysql_escape_string(sha1($_POST['password']));

Is that correct?
Should I also do that for the First name, last name, email address field?

Thanks.

Every value from the outside that you put into the database should either be fully numeric or cleaned via mysql_real_escape_string.