Creating a registration page that doesn't allow duplicate use of emails

General PHP Help
#1

Hey I am creating a registration page using PHP and MySQL and I can’t seem to figure out how to put a filter up between my model and controller that doesn’t allow for the use of duplicate emails and usernames in the registration form. Right now it is slipping through my code and registering it despite my attempt at a filter on it. Here is what I have, if you have a simpler way of doing it or see some holes in my code please let me know. Any help would be appreciated!

Model:

function checkEmail ($eMail) {
global $db;
$sql=“SELECT * FROM login WHERE eMail= :em”;
$statement=$db->prepare($sql);
$statement->bindValue(’:em’, $eMail);
$result=$statement->fetch();
$em= $result[‘eMail’];
echo $em;
$statement->closeCursor ();
}

Controller:

case ‘registerAttempt’:
$userName = filter_input (INPUT_POST, ‘userName’);
$password = filter_input (INPUT_POST, ‘password’);
$eMail = filter_input (INPUT_POST, ‘eMail’, FILTER_VALIDATE_EMAIL);
$custType = filter_input (INPUT_POST, ‘custType’);
$em= checkEmail;
if ($userName == NULL || $password == NULL || $eMail == NULL || $custType == NULL || $userName == ‘User Name’|| $password == ‘Password’ || $eMail == ‘E-Mail’) {
$error=“Invalid registration data. Check all fields and try again.”;
include (‘registration.php’);
}
else if ($em==$eMail) {
$error=“Sorry that email already has an account with us. Try again!”;
}
else {
registerAttempt ($userName, $password, $eMail, $custType);
$success=“Congrats, you’ve successfully registered! Please check your email for instructions or head to the log in page!”;
include (‘registration.php’);
}
break;

#2

I don’t see where you call the model to see if the email exists.

#3

[php]/* Check database table to see if email address is already taken /
function checkEmail($eMail, $pdo) {
try {
/ Setup up the query, it doesn’t matter if nothing is selected, for
we are just trying to see if the email is in the database table.
Execute a prepared statement by passing an array of values */
$query = “SELECT 1 FROM login WHERE eMail = :eMail”;

$stmt = $pdo->prepare($query);

$stmt->bindParam(':eMail', $eMail);

$stmt->execute();

/* The fetch() method returns an array representing the "next" row from 
  the selected results, or false if there are no more rows to fetch. */
$row = $stmt->fetch();
/* If a row was returned, then we know a matching email was found in
  the database already and we should return a true value back. */
if ($row) {
  return false; // Not true  ... another way of saying it failed because it's true 
  /* if this confuses you then just switch the true and false in if statement */
  /* and take out the ! in the other if statement */
} else {
  return true;
}

} catch (PDOException $e) { // Report the Error!
echo “DataBase Error: Could not check email against database table.
” . $e->getMessage();
} catch (Exception $e) {
echo “General Error: email could not be checked for some general reason.
” . $e->getMessage();
}
} // End of check_for_duplicates function:[/php]

then to call it
[php]$result = checkEmail($eMail, $pdo); // I personally don’t like using global variables
if (!$result) {
echo “Sorry, You are unable to use this email for some reason
\n”;
}[/php]

like already said you have to call the function:

#4

The first step is to design your database with a unique index on the email column. That will stop the duplicates from getting in the DB regardless of your code. Of course, the DB will give you an error message, but you can capture the error and do what you want with it.

#5

I personally don’t bother checking for duplicate emails for there are better ways of stopping duplicate accounts and 99 percent of people don’t bother creating duplicate accounts (unless you’re Facebook ;D ) What I would do is verify the email account and lock it down (unique index like stated above), so the user can’t change the email address (or another secondary email that a user can’t change if so desired to allow change main email addresses). Someone a long time ago told me for security reasons not to allow at least one field to be easily changeable, that way if someone was trying to hack into the website it would be pretty obvious.

Sponsor our Newsletter | Privacy Policy | Terms of Service