2
I’m working on a login system that warns the user if the username already exists in the database. I basically have a popup window on the same page where the input fields are for both login and user registration. The idea was to submit the fields and return a paragraph that would inform the user whether the account had been added successfully or not.
Here is the code:
if(isset($_POST['submitlogin'])) {
global $connection;
$username = mysqli_real_escape_string($connection, trim($_POST['username']));
$password = mysqli_real_escape_string($connection, trim($_POST['password']));
if(!empty($username) && !empty($password)) {
/*Register*/
if(isset($_POST['classmember'])){
$class_member= mysqli_real_escape_string($connection, trim($_POST['classmember']));
$query = "SELECT member FROM members WHERE member='$username';";
$result = mysqli_query($connection, $query);
$num_rows = mysqli_num_rows($result);
if($password == GUILDPASS) {
if($num_rows == 0) {
$query2 = "INSERT INTO members(member,pass,class_id,status_id) VALUES ('$username',". '\''. GUILDPASS . '\'' . ",$class_member,3);";
$insert = mysqli_query($connection, $query2);
echo "Added Successfully";
} else {
echo "player already exists";
}
} else {
echo "Wrong password";
}
}
/* LOGIN*/
else {
$query = "SELECT member,pass FROM members WHERE member='$username' AND pass='$password';";
$result = mysqli_query($connection, $query);
$num_rows = mysqli_num_rows($result);
if($num_rows == 0) {
echo "Create Account or Username/Password incorrect..";
} else if ($num_rows == 1){
$_SESSION['sessionid'] = session_id();
}
}
} else {
echo "Password/Username missing";
}
header("Location: ../index.php");
exit();
}
Buddy, do you get any errors when you run this code? Be very careful when using "SELECT Member FROM Members WHERE Member='$username';", as this opens the doors to SQL Injection. Never use a variable directly in the sql query, without filtering.
– Stéfano
It is not possible to perform echo by ajax because the page has already been loaded. An alternative would be to collect the return of the ajax request, and manipulate the page’s DOM to simulate an "Echo". Notes that PHP (Hypertext Preprocessor) means something that manipulates the text before it is rendered.
– Paulo Martins
@Stéfano At the moment this in production later I will pass everything to Prepared statements and review the security of the code.
– Pedro Mesquita