In my website usernames are saved like this robert and funny thing is that one can registers with the name Robert (Capital R).
How would I prevent these somehow duplicated usernames?
My project is in mysql/php
if (mysql_num_rows(mysql_query("SELECT username FROM user_table WHERE username='$username'")) > 0){
die("duplicated usernames can't be saved , this username exists.");
}
Even with this code Robert can be registered.
You should add a UNIQUE index on the username column.
Also, you may find some useful info here: https://stackoverflow.com/search?q=mysql+case+sensitive
Convert them both to the same case and then compare them.
As such:
SELECT username FROM table WHERE LOWER(username) = LOWER('$username')
Hopefully you've sanitized the user input for the username to prevent SQL injections, after that, use PHP to LC your usernames before checking for duplicates or inserting the name in the database:
$username = strtolower($username);
if (mysql_num_rows(mysql_query("SELECT username FROM user_table WHERE username='$username'")) > 0){
die("duplicated usernames can't be saved , this username exists.");
}
php has very important function but people ignore it in start strtolower , use it at the time of
registering and query hence
$username = strtolower($username);
you will never face such problem again .
Related
I have table which contain [Username, Email] and I'm checking them for non repeating any of them,
but It's case-sensitive , so if there is user that's Username is "SelvsterTP", if other user typed it, he won't be able to register, but if he type "selvstertp" for example, no errors face him! ,
I think of making extra column called 'UsernameCheck' and upload to it Username 'lowercase' , then check on that column (same with Email) ,
but it seems to me not the best code for that situation, so any ideas or suggestions?
Original code
$CheckusernameRow =
RowCountDB("Id","users","Username",$Username); //function
to get rows
My Idea
$CheckusernameRow =
RowCountDB("Id","users","UsernameCheck",strtolower($Username));
Did you try the LOWER() selector?
$lowerUsername = strtolower($Username);
$query = "SELECT id FROM users WHERE LOWER(Username) LIKE '$lowerUsername'";
So here's the deal: I'd like to force my clients to change their password every 3 months. That's easy.
But I also want them to choose a different password which is different from the previous 3 password.
And the difficult thing is that I'm storing the 4 information (3 last passwords and date of the last password change) in the same row of the db.
So I'm setting row-->old_passwords = date()::psw_1::psw_2::psw_3
And checking if($POST['password']== psw_1 || $POST['password']== psw_2 || $POST['password']== psw_3)
But how do I store the new password as being psw_3, the old one becoming psw_2 and that one psw_1 - ultimately erasing the original psw_1 ?
Don't worry about the CWE-257 - passwords are hashed of course !
You should do an "UPDATE" query, updating the fields with the new passwords ?
Something like this should work, but be sure to protect against mysql injection.
ALSO as said by #Fred -ii- , $POST['password'] is never gonna work, you should read about superglobals. $_POST['password'] will give you a better chance of achieving what you are trying to do ;)
$mysql->query("UPDATE tableStoringPwd pwd SET pwd.psw1 = pwd.psw2 , pwd.psw2 = pwd.psw3, pwd.psw3 = '" . $newPwd . "' WHERE userId = ". $userId );
EDIT :
I wonder if it is possible to search a value in columns using in clause having column names as in elements.
for instance :
$username_or_mail = 'value';
select * from users where $username_or_mail in(username,email);
where username and email are column names in table users.
I tried this and seems that it is working but i want to be sure if i'm right.
Would I be right in assuming you're using this for a "Enter your username or e-mail address and password to login" login form?
If so, then your SQL code is correct, but hints at a possible design flaw: what happens if someone has a username that is also the email address of another user? This could be used as a malicious attack (i.e. hijack another user's account by making your username equal to the victim's email address).
There is a solution/workaround: simply check for the '#' character and ensure that email addresses contain # and similarly ensure that no username contains # either.
...and if you're going to do that logic, then you might as well optimize the SQL and skip having to check multiple columns (psuedocode):
if( $usernameOrEmail contains '#' ) {
registerParameter("#email", $usernameOrEmail);
$sql = "SELECT ... WHERE EmailAddress = #email"; // note that "#email" is the syntax for query parameters in MySQL.
} else {
registerParameter("#userName", $usernameOrEmail);
$sql = "SELECT ... WHERE UserName = #userName";
}
I currently have this table.
Names
Two fields, ID and Names. Example data would be 1 | Harry.
Now what i am planning on doing is that if someone enters in something like Henry in my form, it will search my database for a result that begins with "H" Then if their are multiple results, it will see if there are any results that are "He" if their isn't it will fallback to the previous result from "H".
The only thing i can think of doing is this,
$inputted_name = "Henry";
$query = mysql_query("SELECT `name` FROM `names`");
while($row = mysql_fetch_array($query)){
$stored_name = $row['name'];
if($stored_name[0] == $inputted_name[0]){
if($stored_name[1] == $inputted_name[1]){
$result = $stored_name;
break;
} else {
// continue looking but then return the first result that matched one letter?
}
}
}
Now i am sure this can't be the best way to do it. Would it be possible in a query? I'm just really not sure where to look for a sensible answer for this one.
change
mysql_query("SELECT name FROM names");
to
mysql_query("SELECT name FROM names WHERE NAME='".$inputted_name."'");
and check you have more than one answer.
Note this is a bad way to do it if your name comes from a non controlled source, such as a web page, as it would allow a SQL injection, and then you would need parameters, but for your example it would work.
Edit: Now I read your question again, yes, you would need parameters or escaping such as:
$name = mysql_real_escape_string($inputted_name);
mysql_query("SELECT `name` FROM `names` WHERE NAME='".$=name."'");
Also, don't try and do in code what the database can do easily (like search for characters). Your code is almost always going to be worse than the database for doing a search, leave it to the database.
Attempting to write a check for a login script to see if the username is available.
Would the best way to write this query be to check
if isset(!_POST[]) for both values (nick and pass)
then connect to database
WHERE the mysql database for the usernick requested
return the user id if the usernick exists
evaluate if isset($id) to see if the user name is taken
and use that to continue to creating an entry
Does this logically sound like a method to check for login without using excessive code
sorry for not posting the code, it is on another computer and this computer is locked down by my administrator at work...
Also, is there another way to evaluate if a value exists in the database?
For instance, instead of setting $id to the return value of the mysql database can i just ping the mysql database for the information and have it return a Boolean result so I am not putting out any user information.
Thanks,
Matt
You can do :
SELECT NULL FROM <Table> WHERE <Conditions>
When you run your query, if you get a row/rows, then your condition is met, if you get 0 rows, then they don't (therefore whatever you are looking for does not exist).
As Boris mentioned, do not forget to sanitize your inputs.!
What this query is supposed to do, is return rows with a NULL value, if what you were looking for in your criteria is met. That is, for example you do :
SELECT NULL FROM Users WHERE Name = 'something';
And you get :
| NULL |
1 row(s) returned.
It means that a user with that name exists, in the other hand you would get:
0 rows returned.
That means it does not exist.
In PHP you could easily use mysql_num_rows($result) to test for this, if you get 0 rows then your user does not exist.
This is of course only useful if you are JUST testing the existance of something, if you actually need the information, you need to do a normal query.
You can just SELECT username WHERE username LIKE $username (don't forget to sanitize and filter $username before to use it in a query).
Then use $result = mysql_fetch_array($query); and count($result);
If count($result) is equal to 0 or null, then, there is no such username in database.
Try this.
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * from <table name> WHERE username = $username AND password = $password", $connection);
$row = mysql_fetch_array($result);
if(mysql_num_rows($row) == 1) //assuming username, password pair is unique
echo "Login Successful";
else
echo "Login Unsuccessful";