Admin login

[pyrodude]

I'm pretty new to the whole MySQL thing, and am in the process of setting up an admin page for my website.  My question comes into placy once the username and password have been verified.  I need to know how I should check on each subsequent page and make sure the client is currently logged in.  I could use cookies to store the username and password and then do a MySQL query on every page, but that sems like it would be a little excessive and bog down the system.  Another possible option I came up with was to establish a cookie with the username and password, and a session array with the same information, and compare those every page.

 

If anyone has any other solutions (perhaps more efficient ones?) they would be much appreciated.  If I'm way off base, let me know.

 

I think my main concern is fear of sql and/or php injection.

 

Thanks!

[ss32]

if you use mysql_real_escape_string() then sql injection shouldnt be a problem.

 

what you want to do is store a session variable containing the username, and the userid.  these variables can only be set by your login script, so it is safe to assume that if they are set, they are verified.

 

to logout, simply unset the session variable.

 

dont forget to call session_start() !!

[pyrodude]

Wouldn't it be possible (although highly unlikely) that someone would be able to set their own $_SESSION['username'] by escaping out of, say, an html form?  This is, of course, assuming that I wasn't using things like addslashes() and strip_tags or a regex of some kind, and that the client was able to guess the name of the key in the $_SESSION array.  Again, I'm looking for any possibility of it happening, not just the likelihood.

 

Thanks again!