Login Function: Just some needed input on complete function

[radar]

I have this function completely written in my class file that I am working on.  The point to this function is to be able to check the login of a user or administrator for either of the control panels associated with my site.

 

It will check the session intime as well as the page / module referenced.  Once it passes all those checks, it will check and ensure the emailaddress/password stored in the current session still holds true and the account is still active...  if the account is still active it will update the lastActivity as well as update all of the session variables with what is currently in the database.

 

What I am looking for is basically a look at the function, see if it looks good..  If there is any part to it that could create security holes for the site just off the login function itself...

 

Usage: $q->validUser($_SESSION['user'], $_mod);

 

<?php
function validUser($sess, $p) {

	if ($sess['inTime'] == '' && $p != 'login' && $p != 'logout') {
		session_destroy();
		$login = '0';
		$_int = '';
		return $login;
	} else if ($sess['inTime'] < time()-3600 && $p != 'login') {
		$sess['inTime'] = '';
		session_destroy();
		$this->check_login($sess, $p);
	} else {
		$this->user = $sess['emailAddress'];
		$this->pass = $sess['password'];

		$login = $this->sql_query("SELECT * FROM users WHERE emailAddress = '".$this->user."' AND password = '".$this->pass."' 
								   AND status = '1' LIMIT '1'");
		if ($login = $this->sql_numrows($login) < 1) {
			$sess['inTime'] == '';
			session_destroy();
			$login = '0';
		} else {
			// logged in, lets update the database for last_activity AND the session.

			$this->sql_query("UDATE users SET lastActivity = '".now()."' WHERE
							  emailAddress = '".$this->user."'");
			$login = $this->sql_query("SELECT * FROM users WHERE emailAddress = '".$this->user."' AND password = '".$this->pass."' 
								       AND status = '1' LIMIT '1'");
			$login = mysql_fetch_assoc($login);
			foreach ($login as $key => $value)
			{ 
				$sess[$key] = $value;
			}
			$sess['inTime'] = time();
			$login = '1';
		}
		return $login;
	}
}

?>

 

That is the main function, sql_query and sql_numrows is:

 

<?php
function sql_query($query = "", $transaction = FALSE) {
	unset($this->query_result);

	if ($query != "") {
		$this->num_queries++;
		if ($transation == BEGIN_TRANSACTION && !$this->in_transation) {
			$result = mysql_query("BEGIN", $this->db_connect_id);
			if (!$result) {
				return false;
			}
			$this->in_transaction = TRUE;
		}

		$this->query_result = mysql_query($query, $this->db_connect_id);
	} else {
		if ($transaction == END_TRANSACTION && $this->in_transaction ) {
			$result = mysql_query("COMMIT", $this->db_connect_id);
		}
	}
	if ($this->query_result) {
		unset($this->row[$this->query_result]);
		unset($this->rowset[$this->query_result]);

		if ($transaction == END_TRANSACTION && $this->in_transaction ) {
			$this->in_transaction = FALSE;
			if (!mysql_query("COMMIT", $this->db_connect_id)) {
				mysql_query("ROLLBACK", $this->db_connect_id);
				return false;
			}
		}
		return $this->query_result;
	} else {
		if ($this->in_transaction ) {
			mysql_query("ROLLBACK", $this->db_connect_id);
			$this->in_transaction = FALSE;
		}
		return false;
	}
}

function sql_numrows($query_id = 0) {
	if(!$query_id) {
		$query_id = $this->query_result;
	}
	return ($query_id) ? mysql_num_rows($query_id) : false;
} ?>

 

Any insight that can help to benefit these functions would be appreciated.