Is this login secure and protected from SQL Injection Attacks?

[dprichard]

Login page:

 

<?php 
session_start();
require_once('../Connections/prbc.php');

if(isset($_POST['login'])){
$username = '';
$password = '';

if (isset ($_POST['username']) && $_POST['username'] != '')

$username = $_POST['username'];

if(isset ($_POST['password']) && $_POST['password'] != '')

$password = $_POST['password'];

$username = mysql_real_escape_string( $username );
$password = mysql_real_escape_string( $password );

$db_password = md5($password);

mysql_select_db('prbcweb') or die(mysql_error());
$login = mysql_query("SELECT * FROM prbc_user WHERE `user_name` = '$username' AND `user_pass` = '$db_password'");
$row_login = mysql_fetch_array($login);
$row_login_total = mysql_num_rows($login);

if ($row_login_total == 1) {
$_SESSION['MM_Username'] = $row_login['user_name'];
$_SESSION['UID'] = $row_login['user_id'];
$_SESSION['auth_level'] = $row_login['user_access_level'];
echo "<script type=text/javascript>location.href='approver.php'</script>";

} elseif ($row_login_total <> 1) {
header("Location: login_2.php");
}
}
?> 

 

Access Control on Pages:

 

<?php 
session_start();
if (isset($_SESSION['MM_Username']) && ($_SESSION['auth_level'] <= '5')) {
  $username = $_SESSION['MM_Username'];
}
else {
echo "<script type=text/javascript>location.href='login_2.php'</script>";
}

[virtuexru]

looks good to me :-O.. you might want to use cookies as well to check, as a backup for sessions. Just a thought..

[dprichard]

Cookies as backup???  Could I get more input on what that is and how that would work?

[virtuexru]

Yea.. Once you are 'logged' in the login script, set a cookie, then when you check with this:

 

if (isset($_SESSION['MM_Username']) && ($_SESSION['auth_level'] <= '5')) {

  $username = $_SESSION['MM_Username'];

}

 

you can also do && $_COOKIE['user_logged'] = "yes")

 

just a thought.. might be pointless but i like to use cookies & sessions..