0

i have 3 tables in a database:

customer
contacts
reseller

my url has index.php?rid=5 (rid=5 is a row from the reseller table with a sequence of 5)

my customer table has a resellerid column so there are many rows there with a resellerid of 5

my contacts table has a company_sequence column that links to the sequence column of the customer table.

the contacts table has an email and password column

im trying to make a login form for rows form the contacts table to login using the email and password.

ive tried this code:

$sql="SELECT * from customer where resellerid = '".$ResellerID."' ";
        $rs=mysql_query($sql,$conn);
        while($result=mysql_fetch_array($rs))
        {
        $sql2="select * from contacts where company_sequence = '".$result["sequence"]."' and email='".$email."' and password='".md5($password)."'";
        $rs2=mysql_query($sql2,$conn);
        $result2=mysql_fetch_array($rs2);

but when i run if(mysql_num_rows($rs2) > 0) it will only check the last row even if there is a valid row in the contacts table.

how can i get this working?

charlie
  • 1,356
  • 7
  • 38
  • 76
  • Explosion Pill's answer below is correct. You should avoid using `mysql_*` functions in PHP. They are deprecated and your code is likely vulnerable to SQL Injection attacks. See here http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – Cfreak Sep 14 '13 at 17:57

1 Answers1

2
SELECT * FROM customer
JOIN contacts ON (company_sequence = sequence)
WHERE resellerid = ?
AND email = ?
AND password = ?

I also have some criticisms, namely:

  • You are using ext/mysql. Use PDO or mysqli
  • You are not using parameterized queries and your queries are vulnerable to injection
  • md5 is a weak hash not suitable for passwords
Explosion Pills
  • 188,624
  • 52
  • 326
  • 405