Code:
index/login:
<?php
if(isset($_POST['login'])) {
include 'config.php';
$username = trim($_POST['username']);
$password = md5(trim($_POST['password']));
$query = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password' LIMIT 1")
or die(mysql_error());
// now we check if they are activated
if(mysql_num_rows($query) > 0) {
$_SESSION['s_logged_n'] = "true";
$_SESSION['s_username'] = $username;
setcookie("access", "yes", time()+3600);
header("Location: member.php");
} else {
include 'functions.php';
writeHeader();
echo '
<h1>Vectorthis Login</h1>
<h2>There was an error processing your login, it appears that your username and/or password was incorrect. Please try again.</h2>
</body>
</html>';
}
?>
Code:
interior pages:
<?php
session_start();
include 'config.php';
if($_SESSION['s_logged_n'] == "true" && $_COOKIE['access']=="yes") {
do_php_stuff;
} else {
print "Log-in Jerk";
}
?>
I'm pretty sure that's not very secure.
I've just read a little bit abou SQL injection, and for public fields/forms I'm writing soem functions that will stirp away any illegal aharcaters that could interfere with the queries, but 'm really concerned with behind the scenes stuff that I don't want unathorized people to see.
I can set sessions/cookies, but I hear session highjacking and stuff like that is pretty easy which makes me concerned with my own
security.
Is there anything else I can do to prevent unauthorized userers from viewing pages? I'm not very good with classes, so I don't have much beyond this. I might be able to understand them if I looked at them, but I don't know if I'd understand it well enough to manipulate itor create my own, and I haven't really seen anything else dealign with this issue.