fesan

Yea... Sorry! Did not get that at first...

I'm no expert but cant you just do it like this: $query = "SELECT email FROM users WHERE level = '2'"; $result = mysql_query($query); while($row = mysql_fetch_array($result, MYSQL_ASSOC)) { echo $row['email']; }

Forgot to ask, the note on generalizing my login check in to a function. is it a good practice to make one php file with all my functions and include it is the index, so i can call the needed functions from wherever?

Thanks for the answers guys! Just a couple of follow ups. OK, so by upgrading my outdated code with PDO(), validating my income data and add some salt to the MD5 hash my site is secure with the code below: if(is_int($_SESSION['login']) == 1 && isset($_SESSION['user']) && isset($_SESSION['name'])){ //secret stuff... HTML output of a table from mysql. } or should there be some other check and validation that the user is the user. I would like to keep away from cookies and alike. jup, the double session() was just a mistake of updating my code while developing... But thanks for the tip!

Hi... Have speant some time away from programming, so i need some updates! I have written a small application for my company and an other company. Suddenly the security part smacked me in the head. This is the first time i actually must have a login to protect info. Nothing very important, but we dont want averyone lurking around being able to read everything. Anyhow. When i first started to do some security on my own sites I did it like this: <?php session_start() if (isset($_GET['logout'])) { $_SESSION['login'] = false; unset($_SESSION["user"]); unset($_SESSION["status"]); unset($_SESSION["name"]); } if($_SESSION['login'] == true && isset($_SESSION['user']) && isset($_SESSION['status'])){ //My Page with secret stuff } else { echo "Log in bastard"; } ?> is this a good enugh way for keeping people out or is this old shit that is renewed? There is offcource MD5 encryption on the passwords in the database, and the login script lookes like this: <?php session_start(); if($_GET['task'] == "login") { $usr = !empty($_POST ['username']) ? $_POST['username'] : ''; $pass = !empty($_POST ['password']) ? $_POST['password'] : ''; $md5_pass = md5($pass); include("admin/conn_us.php"); $query = "SELECT * FROM ${dbtable} WHERE brukernavn = '".mysql_real_escape_string($usr)."'"; if($result = mysql_query($query)) { if(mysql_num_rows($result) <> 1) { die("<p><span class='red'>Feil Brukernavn,". "</p><p>Kontakt systemadministrator.</span></p>"); } if($row = mysql_fetch_array($result)) { if($row['passord'] == $md5_pass){ session_start(); $usr = $row['brukernavn']; $name = $row['navn']; $_SESSION["login"] = true; $_SESSION["user"] = $usr; $_SESSION["name"] = $name; header("Location: http://bahrawy.net/dlight/ballroom/index.php"); exit; } else { echo "<span class='red'>Du har tastet feil passord</span>"; }}}} else { echo '<p> <form name="form1" method="post" action="login.php?task=login"> Brukernavn:<br> <input type="text" name="username" id="username"> <br> Passord: <br> <input type="password" name="password" id="password"> <br> <input type="submit" name="submit" id="submit" value="Logg Inn"> </form>'; } ?> Thanks for any inputt!