hmm I would usually do this to check if the form is submitted:
if('Login' === $_POST['login'])
That assumes the value attribute of the button is 'Login'. That simply checks if $_POST['login'] contains the value 'Login' as a string.
Also, since the config.php file is a vital component here, you should either use require instead of include or do this:
PHP Code:
<?php
if(!include 'config.php')
{
die('Internal error blah blah');
}
?>
You might also want to apply strip_tags() to the username
This is the function I use to escape all illegal characters from an SQL query:
PHP Code:
function koobi_escapeSql($badQuery, $inOut = TRUE)
{
switch($inOut)
{
case TRUE:
$badQuery = (!get_magic_quotes_gpc()) ? addslashes($badQuery) : $badQuery;
$badQuery = (!is_numeric($badQuery)) ? "'" . mysql_real_escape_string($badQuery) . "'" : $badQuery;
break;
case FALSE:
$badQuery = (get_magic_quotes_gpc()) ? stripslashes($badQuery) : $badQuery;
break;
}
return $badQuery;
}
(if the syntax above seems unfamiliar to you, look up the
Ternary Operator)
Example usage:
FOR INPUT
PHP Code:
$myQuery = ' INSERT INTO myPrefix_myTable
SET username=' . koobi_escapeSql($_POST['username']);
FOR OUTPUT
PHP Code:
$myQuery = ' SELECT *
FROM myPrefix_myTable
WHERE username=' . koobi_escapeSql($_POST['username'], false);
Note that in my function, I check for get_magic_quotes_gpc() so if you entered the info into the db when php.ini had the magic quotes off and extracted it after someone decided to turn it on or vice versa, your output will have extra/no slashes so watch out for that.
If you get the 'headers already sent' error, look up output buffering (ob_start()) what that does is, it buffers all the data, sends the headers first and then sends the output text.
I could just type everything out again but I'm lazy so I will link you to another thread on another board...hope it's not a problem with the mods, if it is, then please remove this link:
http://www.phpfreaks.com/forums/inde...dpost&p=238670
:edit:
About session hijacking, you might as well search google. Don't get me wrong here
but a tutorial you'd find on google will probably explain it a lot better, with more detail with hardly anything left out since it will be written after careful consideration and not just some forum post
http://www.google.com/search?hl=en&l...hp&btnG=Search
Also, I would advice you to create a db abstraction layer and even a session class if you're familiar with OOP. It will make things very easy for you and remember in OOP, planning your code before you write it is perhaps the most important thing.