-2

guys! I'm in trouble with my MySQL database. When I try to access the fields it doesn't return the exact value. Here is the code.

<?php
  $host = "localhost";
 $user = "******";
 $pass = "******";
 $db = mysql_connect($host, $user, $pass) or die("Unable to connect. Check your connection parameters.");
 mysql_select_db("*****") or die("Unable to select database!");
  $form_username=$_POST["username"];
 $form_password=$_POST["password"];
 $query="
  SELECT username, password FROM users
 ";
 $result=mysql_query($query,$db) or die("Unable to send the query".mysql_error());
 $index=0;
 while($row=mysql_fetch_row($result))
 {
  $username[$index]=row[0];
  $password[$index]=row[1];
  $index++;
 }
 
 for($i=0; $i<=$index; $i++)
 {
  if($form_username==$username[$i]&& $form_password==$password[$i])
  {
   session_start();
   $_SESSION["login"]="OK";
   header("Location: ************");
   die();
  }
 }

The if statement inside the for operator returns false for every given value. When I echo every username and password like this:

echo $form_username." ".$username[0]." ".$form_password." ".$password[0]."<br>";
 echo $form_username." ".$username[1]." ".$form_password." ".$password[1]."<br>";
 echo $form_username." ".$username[2]." ".$form_password." ".$password[2]."<br>";

It echo me this:

admin r 12345 o

admin r 12345 o

admin r 12345 o

I really don't know where the problem is. I'll really appreciate your help.

zumbata
  • 33
  • 5
  • 1
    mysql_* functions are deprecated, use PDO or MySQLi. You are storing passwords in plaintext, they need to be securely hashed. And I'm sure that if given the chance you would also be vulnerable to SQL injection, so look that up too. – Enstage May 30 '17 at 23:30
  • You should be getting an `undefined row constant` error – Funk Forty Niner May 30 '17 at 23:38

1 Answers1

2

Should this bit:

while($row=mysql_fetch_row($result))
{
    $username[$index]=row[0];
    $password[$index]=row[1];
    $index++;
}

Read:

while($row=mysql_fetch_row($result))
{
    $username[$index] = $row[0];
    $password[$index] = $row[1];
    $index++;
}

Note missing $ on the variable names.

David Findlay
  • 1,296
  • 1
  • 14
  • 30
  • 1
    This is the correct answer, in the first instance, PHP is treating 'row' as a string, so doing row[0] is returning the first character 'r'. Hence OP's output of `admin r 12345 o`. Interesting to say the least. – Enstage May 30 '17 at 23:35
  • 1
    Heh nicely deciphered @Enstage. I didn't realise that's why it had that output, I just quickly did a scan for obvious issues. As someone who uses lots of different languages, I regularly make mistakes like this so it's the first thing I look for. I tend to use code formatting with a lot more whitespace to make things easier to read. – David Findlay May 30 '17 at 23:37
  • Thank you guys so much, I didn't get any errors or warnings before but now, when corrected, it worked. I get really angry when realizing what stupid mistakes I do. – zumbata May 30 '17 at 23:51
  • Hey @zumbata we all make such mistakes. PHP has a habit of doing things that don't work but also don't cause errors. Could you do me a favour and click the answer accepted button on this one? – David Findlay May 31 '17 at 00:48