Error Message Handling Problem

[martinsandhu]

I've done a basic register script and i have included a client side javascript check which checks certina fields to validate. The problem is i want it to check if the username already exists in the database however the script seems to bypass this check for some reason and i was wondering if someone could point me in the right direction?


Thanks

PHP Code:

<?php 

require_once('../classes/database.class.php');
require "../classes/class.imagetransform.php";


$username = $_POST['username2'];
$password = $_POST['password1'];
$validpassword = $_POST['password2'];
$password2 = md5($password);
$name = $_POST['name'];
$email= $_POST['email'];
$age = $_POST['age'];
$gender = $_POST['gender'];
$location = $_POST['location'];
$level = $_POST['level'];
$handicap = $_POST['handicap'];
$clubmember = $_POST['clubmember'];
$localcourse= $_POST['localcourse'];
$score= $_POST['score'];
$drive = $_POST['drive'];
$course= $_POST['course'];
$desc = $_POST['desc'];
$driver1 = $_POST['driver1'];
$driver2= $_POST['driver2'];
$fairwood1 = $_POST['fair1'];
$fairwood2 = $_POST['fair2'];
$threeiron = $_POST['3iron'];
$fouriron= $_POST['4iron'];
$fiveiron= $_POST['5iron'];
$sixiron = $_POST['6iron'];
$seveniron= $_POST['7iron'];
$eightiron= $_POST['8iron'];
$nineiron= $_POST['9iron'];
$pitchingwedge = $_POST['pitchingwedge'];
$sandwedge = $_POST['sandwedge'];
$putter = $_POST['putter'];
$favclub= $_POST['favclub'];
$favball= $_POST['favball'];
$favtee= $_POST['favtee'];
$rand = rand();
$time = time();

$database = new database();
                $link_id = $database->database_connection();
                $query_check = "select * from golfer where username = '$username'";
                $result_check = mysql_query($query_check) or die(mysql_error());
                $total_rows_check = mysql_num_rows($result_check);
                $file_check = mysql_fetch_array($result_check);
                if (!$result_check)    
                    {
                        print 'There was a database error when executing';
                        print mysql_error();
                        exit;
                    }
                

function error_message($msg){
        echo "<script>alert(\"$msg\");history.go(-1)</script>";
        exit;
        }
        
        if(empty($password) || empty($validpassword) || empty($password)) 
        {
            error_message("please enter required fields");
            $valid = false;
        }
        if (($password) != ($validpassword))
        {
            error_message("Passwords don't match");
            $valid = false;
        }
                
        if(!$email) 
        {
            error_message("Please a enter an email.");
            $valid = false;
        }else
        
        {
            $email = trim($email);
            
            $_name = "/^[-!~$%&\'*+\\.\/0-9=?A-Z^_'{|}~]+";
            $_host = "([-0-9A-Z]+\.)+";
            $_tlds = "([0-9A-Z]){2,4}$/i";
            
            if(!preg_match($_name."@".$_host .$_tlds, $email))
            {
                error_message("Email Address has incorrect format");
                $valid =false;
            }
        }
        
        
        if(!$username) 
        {
            error_message("Please a enter a Username.");
            $valid = false;
        }else {

                
                if($total_rows_check == 0)  {
                error_message("Username is already taken, please choose a diffrent username");
                $valid = false;
            }
        
        }
        
                

        
?>

[webnoob]

If everything is written in php, why are you using javascript validation. If the user has JS turned off, what happens, can he bypass it?

The way you are checking for username seems a little off, you are checking to see if it ==0 but surely the statement needs to be >0 (more than zero), if the num_rows comes back as 0 it means there is no username like the checked one