on register i want it to say if a persons username is available when you make a account on this fourms what kind of coding is it?

While checking all of the submitted data (is the password blank? is the email valid?) check the submitted username against the database-- if you find a result, then it's unavailable and show them an error.

script.php


<?php
extract($_POST); // If your method was post in <form>
$query = " SELECT userfield FROM usertable WHERE userfield='$uservariable' ";
$res = mysql_query($query);
if($res) {
$count = mysql_num_rows($res);
if(!$count) {
echo "Username available";
} else echo "Username unavailable!";
} else echo "Transaction error!";
?>


Try customizing this code. This is what you want and it was a very basic inquiry.

That's one approach, but integration with the existing system may be difficult.

Also, I would not recommend using extract() that way. It's confusing and much more reliable to keep post variables in the $_POST array: just use $_POST['uservariable'] instead.

using extract() like that (blindly) also leads to security holes: you're basically adding a point where users can directly modify the variables in your script. If a user knows (or can guess) the names of variables in your script, he can use a home-made form to change their values, or even add new variables with whatever values he likes. Consider this (very simple example):


// earlier in the script, you check if the user is logged in:
if(/* check here */){ $loggedin = TRUE; }

// the user (who is NOT logged in) POSTs a form with the field "loggedin" and value "1"
// when you script comes to the username check,
extract($_POST);
// creates a variable called $loggedin with a value of 1 (which evaluates to TRUE)
// it doesn't affect the username check
// (in fact, if he also posts a 'uservariable' field, it won't even throw an error)
// however, he _IS_ logged in from that point on -
// without even knowing any real usernames or passwords.

Used in concert with the username check, he could find a valid username (and automatically be logged in with it), and then change the password to whatever he wants.

even if the attack is not so refined, it doesn't take much to start screwing things up.