Better user validation other than cookies?

[The Bat]

Hey there,

 

I know how to authenticate users and all that (get matches from a database, if there's a match set a cookie, etc. etc.), but I'm wondering if there's a better, more secure way to validate a user other than a cookie. Currently, the best way I know how to validate someone is to store someone's username in a cookie, and get their info by the SQL statement below:

 

mysql_query("SELECT * FROM users WHERE username='".$_COOKIE['username']."');

 

Which, I can assume is not that secure.

 

Yes, I know all about sessions, and I would much rather use them, but the only thing not wanting me to is the abililty (or lack thereof) for sessions to expire at the time I specify (for example when a user clicks 'Remember Me' during login). Or do I just not know about session expire time?

 

I've heard of someone saying to store the cookie contents into a session, and just use all the sessions in the queries and what not, but can't a user just edit the cookie value thus making a session the same value? (A user can edit cookie values, right?)

 

I'm looking forward to all of your information, and thanks for the help.

[monk.e.boy]

http://www.webmaster-talk.com/php-forum/58129-sql-injection-problem-php-mysql-websites.html#post271952

 

It would be easy for me to edit my cookie to contain:

 

monk.e.boy"; DROP TABLE users; --

 

Use sessions. They solve all your problems, and you won't have to change much code.

 

http://www.tizag.com/phpT/phpsessions.php

 

monk.e.boy

 

EDIT: hey did you just change your question?!?