Which method is better to validate user credentials?

Question

Should I validate a username and pass word by searching for both in the SQL table Or Should I find the username then match the pass word with a PHP if statement?

1. <

Answer 1

From the 2 listed above, the second one is more secure, because first one is more tilted towards SQL injection.

SELECT * FROM table WHERE username = $username AND password =$password

In this code if the value of username and password entered is something like "a or ('a'='a')" the code will be modified to

SELECT * FROM table WHERE username = a or ('a' = 'a') AND password = a or ('a' = 'a')

Which means a clear code for listing all your data.

Whereas in the second case , IF condition will consider the value as a single string only. So second is the best among the 2 u mentioned..

Hope this helps