Try this one
$sSQL = sprintf("SELECT username FROM individuals WHERE
username='%s'", mysql_real_escape_string($username));
$query = mysql_query($sSQL);
if($query !== false)
{
// do something
}
2008/5/18 Sudhakar <sudhakararaog@xxxxxxxxx>:
> until i started using the techniques for avoiding sql injection, i have been
> using a normal insert and select sql query which worked fine.
>
> i have a registration page where a user enters their username and if this
> already exists i display a message by executing a select query and if the
> username does not exist then i run an insert query.
>
> after adopting the technique to avoid sql injection
>
> if(get_magic_quotes_gpc())
> {
> $username = stripslashes($_POST["username"]);
> $email = stripslashes($_POST["email"]);
> }
> else
> {
> $username = $_POST["username"];
> $email = $_POST["email"];
> }
>
> previously my select and insert query were
>
> INSERT INTO individuals(username, email) values('$username', '$email')
> Select username from individuals where username = '$username'
>
> presently the insert query is
>
> $insertquery = sprintf("INSERT INTO individuals (username, email) VALUES
> ('%s', '%s')",
> mysql_real_escape_string($username), mysql_real_escape_string($email));
>
> This insert query is working however the select query is not doing its task
> as before of checking if the username already exists or not, even if i
> register with the same username again it does not alert that the username
> exists.
>
> the select query is
>
> $selectqueryusername = sprintf("Select username from individuals where
> username='%s'", mysql_real_escape_string($username));
>
> should i change the syntax of the above select query or is there something
> else in need to do to fix the select query.
>
> please advice.
>
> thanks.
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
