开发者

Very simply, how can check if a user exists against my MySQL database?

问答 作者:

Here's what I have but nothing is output to the screen. :\

<html>
<head>
</head>
<body>
<? 
mysql_connect(localhost, "sergio", "123");
@mysql_select_db("multas") or die( "Unable to select database");

$query="SELECT * FROM usuario";
$result=mysql_query($query);

$num=mysql_n开发者_如何学Cumrows($result);
$i=0;

$username=GET["u"];
$password=GET["p"];

while ($i < $num) {

$dbusername=mysql_result($result,$i,"username");
$dbpassword=mysql_result($result,$i,"password");

if(($username == $dbusername) && ($password == $dbpassword)){
echo "si";
}

$i++;
}

?>
</body>
</html>

I'm iterating through all users and seeing if there is a match for user && password.

Any guidance?

You should query the database directly using a WHERE filter. In your case, you could do something like 

$user = mysql_real_escape_string($_GET["u"])
$pass = mysql_real_escape_string($_GET["p"])

then query like this:

$query = "SELECT * FROM usario WHERE username = '$user' AND password = '$pass'"

In this way, you don't actually have to loop over all the users in your application. More than likely, MySQL can do this operation far more efficiently. If the result set is empty, then the username or password doesn't exist in the database. If the result set contains a record, it will return only the record matching the username and password in the query.

Note that get variables in PHP are actually in the global $_GET variable, not simply GET. The call to mysql_real_escape_string is necessary to prevent SQL injection attacks.

You don't want to retrieve ALL the users and then compare one by one against a username-password tuple, believe me.

Try this:

$query= "SELECT id FROM usuario 
         WHERE LOWER(username) = LOWER('" . mysql_real_escape_string($_GET["u"]) . "'
         AND
         password = '" . mysql_real_escape_string($_GET["p"]) ."';";

Then

$result=mysql_query($query) or die (mysql_error());
if(mysql_numrows($result) > 0) echo 'si';

And that's it.

Now, the error in your code relies in here $username=GET["u"]; should be $username=$_GET["u"];. Also, you might want to pass the username and password trough POST instead of GET for security reasons.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9