Very simply, how can check if a user exists against my MySQL database?
Here's what I have but nothing is output to the screen. :\
<html>
<head>
</head>
<body>
<?
mysql_connect(localhost, "sergio", "123");
@mysql_select_db("multas") or die( "Unable to select database");
$query="SELECT * FROM usuario";
$result=mysql_query($query);
$num=mysql_n开发者_如何学Cumrows($result);
$i=0;
$username=GET["u"];
$password=GET["p"];
while ($i < $num) {
$dbusername=mysql_result($result,$i,"username");
$dbpassword=mysql_result($result,$i,"password");
if(($username == $dbusername) && ($password == $dbpassword)){
echo "si";
}
$i++;
}
?>
</body>
</html>
I'm iterating through all users and seeing if there is a match for user && password.
Any guidance?
You should query the database directly using a WHERE filter. In your case, you could do something like
$user = mysql_real_escape_string($_GET["u"])
$pass = mysql_real_escape_string($_GET["p"])
then query like this:
$query = "SELECT * FROM usario WHERE username = '$user' AND password = '$pass'"
In this way, you don't actually have to loop over all the users in your application. More than likely, MySQL can do this operation far more efficiently. If the result set is empty, then the username or password doesn't exist in the database. If the result set contains a record, it will return only the record matching the username and password in the query.
Note that get variables in PHP are actually in the global $_GET variable, not simply GET. The call to mysql_real_escape_string is necessary to prevent SQL injection attacks.
You don't want to retrieve ALL the users and then compare one by one against a username-password tuple, believe me.
Try this:
$query= "SELECT id FROM usuario
WHERE LOWER(username) = LOWER('" . mysql_real_escape_string($_GET["u"]) . "'
AND
password = '" . mysql_real_escape_string($_GET["p"]) ."';";
Then
$result=mysql_query($query) or die (mysql_error());
if(mysql_numrows($result) > 0) echo 'si';
And that's it.
Now, the error in your code relies in here $username=GET["u"];
should be $username=$_GET["u"];
. Also, you might want to pass the username and password trough POST
instead of GET
for security reasons.
精彩评论