Home/ Questions/Q 816697
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T01:52:34+00:00

Here’s what I have but nothing is output to the screen. :\ <html> <head>

  • 0

Here’s what I have but nothing is output to the screen. :\

<html>
<head>
</head>
<body>
<? 
mysql_connect(localhost, "sergio", "123");
@mysql_select_db("multas") or die( "Unable to select database");

$query="SELECT * FROM usuario";
$result=mysql_query($query);

$num=mysql_numrows($result);
$i=0;

$username=GET["u"];
$password=GET["p"];

while ($i < $num) {

$dbusername=mysql_result($result,$i,"username");
$dbpassword=mysql_result($result,$i,"password");

if(($username == $dbusername) && ($password == $dbpassword)){
echo "si";
}

$i++;
}

?>
</body>
</html>

I’m iterating through all users and seeing if there is a match for user && password.

Any guidance?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should query the database directly using a WHERE filter. In your case, you could do something like 

    $user = mysql_real_escape_string($_GET["u"])
$pass = mysql_real_escape_string($_GET["p"])

    then query like this:

    $query = "SELECT * FROM usario WHERE username = '$user' AND password = '$pass'"

    In this way, you don’t actually have to loop over all the users in your application. More than likely, MySQL can do this operation far more efficiently. If the result set is empty, then the username or password doesn’t exist in the database. If the result set contains a record, it will return only the record matching the username and password in the query.

    Note that get variables in PHP are actually in the global $_GET variable, not simply GET. The call to mysql_real_escape_string is necessary to prevent SQL injection attacks.

    • 0