Page 1 of 1

form validation problem

Posted: Sat Mar 17, 2007 9:20 am
by mlecho
hi guys...i have this dilemma...i am learning how to validate a form. Before i step into case sensitivity, i have a more pressing issue. The user names and passwords are held in a mysql table. $un and $ps are posted to the script. NOw, if the password and username match what is on the db, all is fine. If the user gets one of the two wrong, then it runs the returnToStart() function. However, if the user should type into the username field a name that is not on the db, and any random password, the script still runs as if all is fine. How do i clarify to PHP that if the username $ps is not in the db (!$info['userName'), then returnToStart()?

Code: Select all

function getStuff($un,$ps){
	$sql="SELECT * FROM users WHERE userName='$un'";
	$res=mysql_query($sql)or die(mysql_error());
	while($info= mysql_fetch_assoc($res)){
	
		if($ps==$info['password'] && $un==$info['userName']){
		
			break;
		}else{
			returnToStart();
		}
	}
}
i have tried several variations of

Code: Select all

if($ps!=$info['password']..
if(!$info['password']..
if(count($info['userName'])<=0)...//my most desperate attempt
none of which worked

Posted: Sat Mar 17, 2007 9:24 am
by feyd
Your while loop won't even execute if the user name doesn't exist.

mysql_num_rows() may be of interest here. Also, you should be able to check if the password matches in the query too. I also hope that your code is reasonably protected from SQL injection.

Posted: Sat Mar 17, 2007 9:44 am
by mlecho
feyd- something told me that you would be the one to chime in. Yeah, that worked just great. Can you refer me to a place to learn/read more about mysql injection? Sounds like i have some learning to do.

Posted: Sat Mar 17, 2007 11:34 am
by feyd
Search around for the phrase "SQL injection."