What is Wrong with This Script?

[Seraphino]

PHP Code:

<?
$hostname="<HIDDEN>";
$username="damasterjo";
$password="<HIDDEN>";
$database="damasterjo";

mysql_connect($hostname,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query="SELECT * FROM Customers";
$result=mysql_query($query);
$num=mysql_numrows($result);

//Checks If The Username and Password Exists
//Declaring Variables
$usernameisvalid=0;
$passwordisvalid=0;
$passwordexists=0;
$usernameexists=0;
//loop through all the entrys in the database to see if any match...
    while ($usernameisvalid < $num) {
        //set the username they want to a variable
        $checkuser=$_POST['Username'];
        //Set the database user name into a variable
        $existing=mysql_result($result,$usernameisvalid,"Username");
        //Check whether or not they are the same

            if  ($checkuser == $existing)
            {
                $usernameisvalid=$num;
                $usernameexists=1;
            }
                $usernameisvalid++;
            }

    while ($passwordisvalid < $num) {
        //Set Password They Want Into A Variable
        $checkpassword=$_POST['Password'];
        //Set the database password into a variable
        $existingpass=mysql_result($result,$passwordisvalid,"Password");
        //Check whether or not they are the same
        
            if ($checkpassword == $existingpass)
            {
                $passwordisvalid=$num;
                $passwordexists=1;
            }
                $passwordisvalid++;
            }
    
    if ($passwordexists == 0 and $usernameexists == 0)
    {
        echo "This Username or Password is Invalid!";
    }
    if ($usernameexists == 1 and $passwordexists == 1)
    {
        echo "This Username and Password Exists!";
    }
?>

For some reason, no matter what Username or Password I enter, it keeps saying that it is valid.

Btw, just to let everyone know, this is for a joined project between me and Damasterjo.

[lintz]

Here is your problem..

PHP Code:

$num=mysql_numrows($result); 


//Should be

$num=mysql_num_rows($result); 


[john tindell]

why dont you just do this all in an SQL query

PHP Code:

$query = "SELECT username, password from Users WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] ."' LIMIT 1"; 


Note: You should not store the actual password in your database, instead store the hash of it. Use the md5() function for this.


Lintz mysql_num_rows and mysql_numrows will both work, for the moment, as they havent removed the later from PHP. If the problem was with the function beig removed then it would have thrown an error saying that the function could not be found.

[penagate]

Here is the gist of my login function. It's inside a user class which explains the use of the this keyword.

$username is the posted username. $passwordHash is the md5 hash of the password posted.

PHP Code:

// find the user
$users = mysql_query(
  'SELECT DISTINCT * FROM `'.USERS_TABLE.'` WHERE `username` = \''.$username.'\''
);

if (is_resource($users) && (bool)mysql_num_rows($users)) {
  $user = mysql_fetch_assoc($users);
  
  // check password
  if ($user['password_md5'] == $passwordHash) {
    $this->LoggedIn = true;
    
    $this->userID = $user['id'];
    $this->username = $username;
    $this->userGroups = $user['user_groups'];
    
    $_SESSION['user_object'] = $this;
  }
  else {
    return AUTH_WRONG_PASSWORD;
  }
}
else {
  return AUTH_NO_USER;
} 


AUTH_WRONG_PASSWORD and AUTH_NO_USER are just constants.

[damasterjo]

Ok well i fixed it for him, all that was wrong he was using the wrong post variable, its caps sensitive, so I fixed it...