unique key info

[Hooch]

Hey all. I have a users table set up with the user name and email as unique fields. This is good on 2 levels. One you can't register a duplicate name. Two, once registered you can't change your name to anothers. The second part is automatically done for you without any extra coding. So is it possible to echo the non entry? I made some code up to check the email

$profile2 = mysql_query("SELECT * from users where username = '{$_SESSION['s_username']}'"); $profile2 = mysql_fetch_array($profile2);if ($_POST['email'] !== $profile2[email]){ $check = mysql_query("SELECT email FROM users WHERE email='$email'"); $check = mysql_num_rows($check); 	if ($check>0) 	{ 	echo "<link href=\"includes/style.css\" rel=\"stylesheet\" type=\"text/css\" />";	echo "<br><br>";	echo "<center>That email is already in use.";	echo "<br><br>"; 	echo "<a href=\"editprofile.php\" class=\"red-14\">Back</a></center>";	echo "<br><br>";	}

So can I skip all this code and let the table do it's work for me, then display the error for the user? Thank you, Hooch

[justsomeguy]

You could skip the code, but the error the user would see would be a MySQL error talking about duplicate keys. It would be confusing to the user. It's best to do what you're doing, catch the error before it happens, and show the user a friendly error message. It would be even more friendly if the user were taken directly back to the form with their answers still filled in.

[Hooch]

That is a nice touch, but how do you save the fields?

[Xenon Design]

Maybe some temporary cookies or maybe URL vars. Also just something I noticed...the SQL syntax....it looks well hackable.When I have things like sessions, cookies, gets or posts I always check (ereg_replace) the values regardless. You cant just assume the user is your average dude and doesn't know about SQL injection

[jlhaslip]

Google on "php redux" and you will find a link to Larry Ullman's script for "sticky forms". The form, error handling , and whatever you need are all processed on one page and the form fields get displayed by the single script. Larry is an Author that has written quite a few books, is rather knowledgeable, and presents the information in an easy to understand manner.Link here: redux format : http://www.peachpit.com/articles/article.a...qNum=2&rl=1Link here: sticky forms : http://www.peachpit.com/articles/article.a...qNum=3&rl=1

[Hooch]

Maybe some temporary cookies or maybe URL vars. Also just something I noticed...the SQL syntax....it looks well hackable.When I have things like sessions, cookies, gets or posts I always check (ereg_replace) the values regardless. You cant just assume the user is your average dude and doesn't know about SQL injection

I read up on the (ereg_replace) It will check for certain entries then replace them with something else.Okay so what do I need to check for? FYI this is a clean function I do on every form input.

include 'includes/clean.php';$firstname = clean($_POST['firstname']);$lastname = clean($_POST['lastname']);$email = clean($_POST['email']);

clean.php

function clean($string){$string = mysql_real_escape_string($string);$string = trim($string);return $string;}

I assume putting my (ereg replace) in the clean.php would be best too?Thank you, Hooch

[Hooch]

Thanks jlhaslip, good stuff. I stumbled upon a tutorial for dreamweaver. It will popup an error ifa field is not filled out, and it saves all info since the form is not posted. http://www.phpeasystep.com/phptu/17.html Mind you this does not save the info if all required fields are filled out, thenthe query for a duplicate email is true. The form does get posted and allinfo will be lost. But I thought the info could come in handy for dreamweaver users.

[justsomeguy]

I don't think there's any point to use ereg_replace or any other regular expression function to sanitize input. Input can only harm a database under 1 circumstance, if it contains a quote. So all you need to do is escape quotes, and invoking the regular expression engine to do that is a waste of resources. All you need to do is call the mysql_real_escape_string function on each string input, you're already doing that. For number inputs, you should convert to either integer using intval or floating point using floatval.As far as single-page form processing goes (filling in what the user had), I wrote this up a while ago and it might help:http://w3schools.invisionzone.com/index.php?showtopic=5344

[Hooch]

As usual thank you for your time guy.