not sure if i have coded my login system correctly?

[yobo]

hey all,

 

i am not sure if my login system is working correctly with the sessions?

 

my login2.php (shows once the user has submitted the login form)

 

<?php

 

include("config.php");

 

// connect to the mysql server

$link = mysql_connect($server, $db_user, $db_pass)

or die ("Could not connect to mysql because ".mysql_error());

 

// select the database

mysql_select_db($database)

or die ("Could not select database because ".mysql_error());

 

$match = "SELECT userid FROM users WHERE username = '".$_POST['username']."'

and password = '".$_POST['password']."';";

 

$qry = mysql_query($match)

or die ("Could not match data because ".mysql_error());

$num_rows = mysql_num_rows($qry);

 

if ($num_rows <= 0) {

echo "Sorry, there is no username $username with the specified password.<br>";

echo "<a href=login.html>Try again</a>";

exit;

} else {

 

$_SESSION['ok'] = 'username';

echo "You are now logged in!<br>";

echo "Continue to the <a href=members.php>members</a> section.";

}

?>

 

my members.php

 

<?php

session_start();

ob_start();

if (!isset($_SESSION['ok']))

 

$_SESSION['ok'];

echo "you are logged in as $username";

?>

<a href="logout.php">Logout Here</a>

 

logout.php

 

<?php

session_destroy('ok');

 

echo "You are now logged out.<br>";

echo "<a href=\"login.php\">Log in</a>.";

 

?>

 

much appricated for help

[virtuexru]

First things first..

 

Do this in the beginning, take the $_POST, clear it, and assign variables.. It's safer and cleaner this way.

 

$username = mysql_real_escape_string($_POST['username']);

$password = mysql_real_escape_string($_POST['password']);

 

Then, to error check, instead of doing <= 0, do this:

 

$num_rows = mysql_num_rows($qry);

 

if ($num_rows != '1')

{}

else

{}

 

Hope that helps, if not, let me know what the error is.

[yobo]

everything is working fine now