How to prevent username duplicates in mySQL (PHP)

Question

This is how my users register for database, but my question is: How can I prevent the database from having copies of the same username, or in other words, how can I prompt to the user that "Your username already exists" if their username exists in the database.

 <?php

        $error = ""; // error
        $GoodJob = ""; 
        //When submit button is pressed, send data.  

        if(isset($_POST['submit'])){

            if (empty($_POST['username']) || empty($_POST['email']) || empty($_POST['password'])) {

                $error = "<br>Please insert only letters or numbers.";

            }else{

            // Define username, firstname, lastname, email and password.
            $username = $_POST['username'];
            $firstname = $_POST['firstname'];
            $lastname = $_POST['lastname'];
            $email = $_POST['email'];
            $password = $_POST['password'];

            // Define database information
            $hostnameV = "***";
            $usernameV = "***";
            $passwordV = "***"; 
            $databaseV = "***"; 



            //connection to the database
            $connection = mysql_connect($hostnameV, $usernameV, $passwordV) 
                 or die("Unable to connect to MySQL");
            echo "Connected to MySQL<br>";


            //select a database to work with
            $selected = mysql_select_db($databaseV,$connection) 
              or die("Could not select company");

            // To protect MySQL injection for Security purposes
            $username = stripslashes($username);
            $firstname = stripslashes($firstname);  
            $lastname = stripslashes($lastname); 
            $email = stripslashes($email); 
            $password = stripslashes($password); 

            $username = mysql_real_escape_string($username); 
            $firstname = mysql_real_escape_string($firstname); 
            $lastname = mysql_real_escape_string($lastname); 
            $email = mysql_real_escape_string($email); 
            $password = mysql_real_escape_string($password); 

            // SQL query to send information of registerd users
            # FORMULA: INSERT INTO table_name (column1, column2, column3,...) VALUES (value1, value2, value3,...)

            $query = mysql_query("INSERT INTO `company`.`users` (`id`, `username`, `firstname`, `lastname`, `email`, `password`) 
                                  VALUES (NULL, '$username', '$firstname', '$lastname', '$email', '$password')", $connection); 


            //close the connection
            mysql_close($connection);    

            } // end if statement
            ***
        }

        ?>

         <div id="main">
                <div id="login">
                    <h2>REGISTER</h2>
                    <form action="" method="post">
                            <input id="name" name="username" placeholder="Pick a username" type="text">
                            <input id="name" name="email" placeholder="Your email" type="text">
                            <input id="name" name="firstname" placeholder="firstname" type="text">
                            <input id="name" name="lastname" placeholder="lastname" type="text">
                            <input id="password" name="password" placeholder="Create a password" type="password"> 
                            <input name="submit" type="submit" value=" REGISTER ">
                        <span><?php echo $error; ?></span>
                    </form>
                </div>
            </div>

Define the `username` column to be unique or (equivalently) create a unique index on it. — Gordon Linoff, Feb 12 '15 at 19:56
^- this. And then don't assume your query runs successfully, check if it fails and if so, for what reason (eg., a duplicate username) — kero, Feb 12 '15 at 19:57
Check this http://stackoverflow.com/questions/17042306/avoid-inserting-duplicate-column-values — Magster, Feb 12 '15 at 19:58
You should use PDO for the requests. According to php doc, the fonctions you are using are depreciated since php 5.5.0 and should be remove in the futur. — Akimoto, Feb 12 '15 at 19:59

Halfstop · Answer 1 · 2015-02-13T15:00:40.270

I would first start by not using the mysql_* functions as they are deprecated and switch to PDO as it works correctly.

To answer your question, you should simply query the database for the username, if it exists, tell the user.

Before the Insert, using PDO and prepared statements.

$stmt = $dbh->prepare('SELECT count(*) FROM user WHERE username = ?');
$stmt->execute(array($username));
$res = $stmt->fetch(PDO::FETCH_NUM);
$exists = array_pop($res);
if ($exists > 0) {
  // tell the user it already exists.
} else {
  // carry on with your insert.
}

As others have suggested, making the username unique should also be done. I wouldn't write my code to fail though when trying to insert a duplicate username, I would still test if it exists.

So to provide a bit more clarity, in reference to the below comments about using exceptions, here's why I wouldn't write my code to throw an exception if someone enters a username that is already taken. Exceptions, in my opinion, should be exceptions. That means that something exceptional happened. Someone entering a username that is already taken, I consider that to be a normal operation of the application and it should be handled in a normal non-exceptional fashion. If however, someone entered a valid username and between the time that I checked that it was not taken and when I'm running my insert, someone else grabbed that username (in that 2 millisecond timeframe), that would be an exception and I would handle it. To the user, that "exception" would look exactly the same, but in my code it would be handled as an exception.

So that's why I wouldn't just write my code to do an insert that throws an exception when someone enters a username that is already taken. I would check whether it's taken or not and then insert it, throwing an exception if that username was snagged between the time I checked and when it was inserted. I think that's good application design and proper use of exceptions. Others can disagree, but that's how I would do it. Exceptions should be exceptional, not part of the normal course of doing business.

You don't need to do this count before attempting to insert. Having given it a unique constraint, you attempt to insert, and do it in a try..catch, and if you end up in the catch and the error is violation of primary key, then tell the user the username already exists. If, however, you want to do an Ajax validation while the user is still filling out the form, you can do an Ajax request to a page that checks if the username exists by doing the count there. Totally pointless to do it right before insert, however. — developerwjk, Feb 12 '15 at 20:07
@developerwjk It's personal preference. I don't like to write code to throw exceptions. It's not pointless to do the check before the insert, it's the entire point of doing the check. — Halfstop, Feb 12 '15 at 20:12
Its not personal preference. If you do it your way and rely on this count, by the time the sql server returns the count and you say "aha, the user doesn't exist" and begin to insert it, someone else may have registered this username, and now you have an insert that fails (if you put in the unique constraint) without telling the user because you don't like checking exceptions! Or if you didn't put in the unique constraint, now you have the username in the table twice. In short, your way is wrong, not just a personal preference. — developerwjk, Feb 12 '15 at 20:14
@developerwjk I disagree, as I said in my answer, putting the unique constraint on the username in the db is part of the solution. And I'm pretty sure I never said that I "don't like exceptions." I just don't use them the way you are suggesting. — Halfstop, Feb 12 '15 at 20:15
If you've only done apps that are used by less than 10 people, it may seem to you to be working fine. But for an app with much usage, it will fail massively. — developerwjk, Feb 12 '15 at 20:16
@developerwjk it absolutely will not fail, not once, not ever. — Halfstop, Feb 12 '15 at 20:17

score -1 · Answer 2 · answered Feb 19 '15 at 10:32

You can set a validation for checking the username is exist or not.

    <?php
    function checkUserExist($username){
    $checkExist = "SELECT username from userTable WHERE username ='" . $username . "'" or die(mysql_error());
    mysql_query($checkExist);
       if($checkExist > 0){//That means username is existed from the table
          return true;
       }else{//username isn't exist
          return false;
       }
    }

    if(checkUserExist($username)){//function return true
       echo "username is already exist, please change.";
    }else{
       //Insert the user info into db
    }

This is an example for checking the username by using function with mysql_query, you can also use PDO to implement it, Cheers!

How to prevent username duplicates in mySQL (PHP)

2 Answers2