Processing order of login script?

[chiprivers]

Hello all and merry christmas  ;D

I know there have been several people asking about login scripts but I have managed to create a working one, but I was wondering if anybody could suggest an alternative structure for checking and processing the various steps?  I am currently using the following flow to login but I am sure there is a simpler and more efficient way without duplicating my code!

[code]

<?php

// is there a user logged in?
if ($_SESSION['logged'] == "out") {
// has user just submitted login form?
if (isset($_POST['login_password'])) {
// login details submitted - process and verify user
require 'connect_db.php';
$qry_login = "SELECT * FROM members WHERE password = '".$_POST['login_password']."' AND username = '".$_POST['login_user'] ."'";
$rslt_login = mysql_query($qry_login);
$num_login = mysql_num_rows($rslt_login);
if ($num_login == 1) {
// user verified
$member = mysql_fetch_array($rslt_login);
$_SESSION['logged'] = "in";
$_SESSION['member'] = $member['individual'];
$_SESSION['access'] = $member['access'];
// show member details
require 'logged_in.php';
} else {
require 'login_form.php';
}
} else {
// show login form
require 'login_form.php';
}
} else {
// user is logged in - are they logging out?
if (isset($_POST['logout_member'])) {
// user loggin out - clear session variables and show login form
$_SESSION['logged'] = "out";
$_SESSION['member'] = "";
$_SESSION['access'] = 0;
require 'login_form.php';
} else {
// user is logged in - show member details
require 'logged_in.php';
}
}

?>


[/code]

[Orio]

That's a very good structure- does the work and is pretty efficient...
You just need to read a bit about SQL injections, because your script is vulnerable. Another I would add is md5/sha1 encryption of the password, with or without a salt string- to improve security.

Orio.

[ted_chou12]

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php <<<<SQL Injection is here, chiprivers, your homework ;D
Ted