Username Availability Check Using Ajax And Php Against Mssql

I have a database already full of clients. We are trying to let them setup online access. They must provide their member ID to set up their online account. I have built a test form

Solution 1:

Your query is failing, because you've failed to quote your $username parameter, leading to both incorrect and invalid SQL, and an SQL injection attack vulnerability:

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
                                                     ^--        ^--

without the quotes, you're doing WHERE MemberID = fred, and I highly doubt you've got a fred field in your membership table.

Since your code blindly assumes the query is working correct, you will never ever see the syntax error warnings that SQL server WILL HAVE been providing.

Solution 2:

Don't you need to quote the value of your parameter in your SQL statement ?

$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";

would then become

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";

Solution 3:

I ended up getting it with this...thanks for all the input...I really appreciate it all!

$sql="SELECT MemberID FROM tblMembership WHERE MemberID = '".$memid."'";
$stmt= sqlsrv_query($conn, $sql);
$row= sqlsrv_fetch($stmt);
if (empty($row))
{
print "<span style=\"color:red;\">We Can Not Find You >:-(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :-)  </span>";
}

Solution 4:

Why don't you explicitly use $_GET,

if(isset($_GET['uname']))
{
  $uname=$_GET['uname'];
}

And then query like,

$sql = "SELECT * FROM tblMembership WHERE MemberID ='$uname'";