How do I check for existing username

Question

I would like to see if a username is already created... I seached, and the mysql_num_row() or whatever it is, doesn't seem to work, i get a T_STRING Error if i use that... Heres my code, that says it should work, but it doesn't, why?:

/*simple checking of the data*/
if(isset($_POST['login']) && isset($_POST['pass']) && ($_POST['pass'] == $_POST['confirm']))
{

/*Connection to database logindb using your login name and password*/
$db=mysql_connect('localhost','user','pass') or die(mysql_error());
mysql_select_db('db');

/*additional data checking and striping*/
$_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

mysql_query("INSERT INTO profiles SET username='{$_POST['login']}',password='{$_POST['pass']}'",$db);

/*If the database has been updated*/
if(mysql_affected_rows() > 0)
{
    $_SESSION['login'] = $_POST['login'];
    $login='Welcome '.$_SESSION['login'];
}
else
{
    $login= 'This login name already exists.';
}

mysql_close($db);

}

And i did as showdev suggested but get an error:

New code:

/*additional data checking and striping*/
$_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

mysql_query("INSERT INTO profiles SET  username='{$_POST['login']}',password='{$_POST['pass']}'",$db);

/*If the database has been updated
if(mysql_affected_rows() > 0)
{
$_SESSION['login'] = $_POST['login'];
$login='Welcome '.$_SESSION['login'];
}
else
{
$login= 'This login name already exists.';
}*/
$sql="SELECT COUNT(*) FROM `profiles` WHERE `username`='$username' AND `password`='$password' LIMIT 0,1;"
$q=mysql_query($sql) or die(mysql_error());
$r=mysql_fetch_row($q);
if ($r[0]==0) {
   // insert new user
    } else {
   // user already exists
    }

mysql_close($db);

}

Error:

Parse error: syntax error, unexpected T_VARIABLE in /home/teachert/public_html/php/register.php on line 34

UPDATE:

New Code:

mysql_query("INSERT INTO profiles SET `username`='{$_POST['login']}',`password`='{$_POST['pass']}' ON DUPLICATE KEY UPDATE `username`='{$_POST['login']}'",$db);
/*If the database has been updated*/
if(mysql_affected_rows() == 1)
{
    $_SESSION['login'] = $_POST['login'];
    $login='Welcome '.$_SESSION['login'];
}
else
{
    $login= 'This login name already exists.';
}

mysql_close($db);

}

Still doesn't work

Answer 1

You may want to SELECT the username to see if it already exists before INSERT. Something like this:

$login=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
$pass=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

$sql="SELECT COUNT(*) FROM `profiles` WHERE `username`='$login';"

$q=mysql_query($sql) or die(mysql_error());
$r=mysql_fetch_row($q);

if ($r[0]==0) { // count is 0, no matching users

   // insert new user
   $sql="INSERT INTO `profiles`
           (`username`,`password`) VALUES ('$login','$pass');";
   mysql_query($sql) or die(mysql_error());

   $_SESSION['login'] = $login;
   $login='Welcome '.$_SESSION['login'];

} else {

   // user already exists
   $login= 'This login name already exists.';

}

Also, consider PDO since mysql_* commands are depreciated.

Answer 2

This checks if user already exists, and uses the sanitize function to prevent injection

function sanitize($string) {
  $string = mysql_real_escape_string(strip_tags(trim($string)));
  return $string;
}

function user_exists($username) {
  $username = sanitize($username);
  return (mysql_result(mysql_query("SELECT COUNT(`username`) FROM `profiles` WHERE `username` = '$username'"), 0) == 1) ? true : false;
}

if (user_exists() === true) {

} else {
  $login= 'This login name already exists.';
}