prepare($query); $stmt->execute(array( ':username' => $_POST['username'], ':email' => $email )); /** * There may well be more than one point of failure, but all we really need * is the first one. */ $existing = $stmt->fetchObject(); if ($existing) { if ($existing->username == $_POST['username']) { $errors['username'] = "That username is already in use."; } if ($existing->email == $email) { $errors['email'] = "That email address is already in use."; } } } /** * If the form has been submitted and no errors were detected, we can proceed * to account creation. */ if (!empty($_POST) && empty($errors)) { /** * Hash password before storing in database */ $hasher = new PasswordHash(8, FALSE); $password = $hasher->HashPassword($_POST['password']); /** * I'm going to mention it again because it's important; if you aren't using * prepared statements, be sure to escape your data before passing it to * your query. */ $query = "INSERT INTO users (username, password, email, created) VALUES (:username, :password, :email, NOW())"; $stmt = $sql->prepare($query); $success = $stmt->execute(array( ':username' => $_POST['username'], ':password' => $password, ':email' => $_POST['email'], )); if ($success) { $message = "Account created."; } else { $errors['registration'] = "Account could not be created. Please try again later."; } } ?>