Penaf

Seems nice Wolfie ... but is it better ?

Hello People, I'm not an expert programmer and I need all the help I can get to have this done the best way possible. I want to make the most secure possible login system and content submital to a mySQL database. I rely on a file I called motor.php to do all the work with the DB and here I needed seriously refactoring (I guess!) ... then I have a basic functions.php (from this file I only put here 1 function ... to get your opinion about it) and a connect.php So ... if you guys can help me ... thanks A LOT ! functions.php <?php function clean($string){ $string = addslashes($string); $string = strip_tags($string); $string = htmlspecialchars($string); $string = trim($string); return $string; } ?> connect.php <?php $host = "localhost"; // default $mysql_user = "XXX"; // mysql username $mysql_pass = "XXX"; // mysql password $mysql_db = "XXX"; //mysql database @mysql_connect($host,$mysql_user,$mysql_pass) or die("Could not connect to MySQL<br />".mysql_error()); @mysql_select_db($mysql_db) or die("Could not connect to MySQL database $db"); // Protecção contra SQL Injections para todas as variáveis POST e GET foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } ?> motor.php ... help needed here ... I always feel something is missing! <?php ob_start(); require('connect.php'); include('functions.php'); $act = $_GET['act']; if ($act == "adduser") { $user=clean($_POST['user']); $pass=md5(clean($_POST['pass'])); $nome=clean($_POST['nome']); $sql="INSERT INTO users(user, pass, nome) VALUES('$user', '$pass', '$nome')"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif ($act == "deluser") { $user=$_POST['user']; $sql="DELETE FROM users WHERE user='$user'"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif (act == "loginerro" || $act == "logindel"){ setcookie("user", "erro", time()+3600); echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; } elseif ($act == "authuser") { $user = clean($_POST['user']); $pass = md5(clean($_POST['pass'])); $usercookie = $user; $sql = "SELECT * FROM `users` WHERE `user` = '$user' AND `pass` = '$pass' LIMIT 1"; $result = mysql_query($sql); if(!mysql_num_rows($result)){ echo "Nome de utilizador ou password errados!"; setcookie("user", erro, time()+3600); die(); }else{ echo "Login Válido"; setcookie("user", $usercookie, time()+3600); echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; $logdate = date("Y-m-d"); $logtime = date("h:i:s"); $logip = $REMOTE_ADDR; $loghost = $_SERVER['HTTP_HOST']; $logentrada = mysql_query("INSERT INTO logentrada (loguser, logdate, logtime, logip, loghost) VALUES ('$user', '$logdate', '$logtime', '$logip', '$loghost')"); if(!$logentrada) die ('Database error ($logentrada): ' .mysql_error()); mysql_close(); } }elseif ($act == "addcontent") { $titulo=$_POST['titulo']; $conteudo=$_POST['conteudo']; $tipo=$_POST['tipo']; $user=$_POST['autor']; $imagem=$_POST['imagem']; $data=$_POST['data']; $hora=$_POST['hora']; $sql="INSERT INTO content(titulo, conteudo, tipo, autor, imagem, data, hora) VALUES('$titulo', '$conteudo', '$tipo', '$user', '$imagem', '$data', '$hora')"; $result=mysql_query($sql); if($result){ echo"Sucesso!"; echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>"; }else{ echo" Insucesso!"; } mysql_close(); } elseif (empty($act)) { echo "Não há nada aqui para ver!"; } ob_flush() ?>