real_escape_string($_POST['username']); $email = $sql->real_escape_string($email); /** * Check that the username and email aren't already in our database. * * Note also the absence of SELECT * * Grab the columns you need, nothing more. */ $query = "SELECT username, email FROM users WHERE username = '{$username}' OR email = '{$email}'"; $result = $sql->query($query); /** * There may well be more than one point of failure, but all we really need * is the first one. */ $existing = $result->fetch_object(); if ($existing) { if ($existing->username == $_POST['username']) { $errors['username'] = "That username is already in use."; } if ($existing->email == $email) { $errors['email'] = "That email address is already in use."; } } } /** * If the form has been submitted and no errors were detected, we can proceed * to account creation. */ if (!empty($_POST) && empty($errors)) { /** * Hash password before storing in database */ $hasher = new PasswordHash(8, FALSE); $password = $hasher->HashPassword($_POST['password']); $query = "INSERT INTO users (username, password, email, created) VALUES ('{$username}', '{$password}', '{$email}', NOW())"; $success = $sql->query($query); if ($success) { $message = "Account created."; } else { $errors['registration'] = "Account could not be created. Please try again later."; } } ?>

Username
Email Address
Password
Confirm Password