tags:

views:

47

answers:

2

Here's what I have but nothing is output to the screen. :\

<html>
<head>
</head>
<body>
<? 
mysql_connect(localhost, "sergio", "123");
@mysql_select_db("multas") or die( "Unable to select database");

$query="SELECT * FROM usuario";
$result=mysql_query($query);

$num=mysql_numrows($result);
$i=0;

$username=GET["u"];
$password=GET["p"];

while ($i < $num) {

$dbusername=mysql_result($result,$i,"username");
$dbpassword=mysql_result($result,$i,"password");

if(($username == $dbusername) && ($password == $dbpassword)){
echo "si";
}

$i++;
}

?>
</body>
</html>

I'm iterating through all users and seeing if there is a match for user && password.

Any guidance?

+4  A: 

You should query the database directly using a WHERE filter. In your case, you could do something like

$user = mysql_real_escape_string($_GET["u"])
$pass = mysql_real_escape_string($_GET["p"])

then query like this:

$query = "SELECT * FROM usario WHERE username = '$user' AND password = '$pass'"

In this way, you don't actually have to loop over all the users in your application. More than likely, MySQL can do this operation far more efficiently. If the result set is empty, then the username or password doesn't exist in the database. If the result set contains a record, it will return only the record matching the username and password in the query.

Note that get variables in PHP are actually in the global $_GET variable, not simply GET. The call to mysql_real_escape_string is necessary to prevent SQL injection attacks.

Ben Herila
+1  A: 

You don't want to retrieve ALL the users and then compare one by one against a username-password tuple, believe me.

Try this:

$query= "SELECT id FROM usuario 
         WHERE LOWER(username) = LOWER('" . mysql_real_escape_string($_GET["u"]) . "'
         AND
         password = '" . mysql_real_escape_string($_GET["p"]) ."';";

Then

$result=mysql_query($query) or die (mysql_error());
if(mysql_numrows($result) > 0) echo 'si';

And that's it.

Now, the error in your code relies in here $username=GET["u"]; should be $username=$_GET["u"];. Also, you might want to pass the username and password trough POST instead of GET for security reasons.

Ben