until i started using the techniques for avoiding sql injection, i have been
using a normal insert and select sql query which worked fine.
i have a registration page where a user enters their username and if this
already exists i display a message by executing a select query and if the
username does not exist then i run an insert query.
after adopting the technique to avoid sql injection
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
$email = stripslashes($_POST["email"]);
}
else
{
$username = $_POST["username"];
$email = $_POST["email"];
}
previously my select and insert query were
INSERT INTO individuals(username, email) values('$username', '$email')
Select username from individuals where username = '$username'
presently the insert query is
$insertquery = sprintf("INSERT INTO individuals (username, email) VALUES
('%s', '%s')",
mysql_real_escape_string($username), mysql_real_escape_string($email));
This insert query is working however the select query is not doing its task
as before of checking if the username already exists or not, even if i
register with the same username again it does not alert that the username
exists.
the select query is
$selectqueryusername = sprintf("Select username from individuals where
username='%s'", mysql_real_escape_string($username));
should i change the syntax of the above select query or is there something
else in need to do to fix the select query.
please advice.
thanks.
