Noob security question

I want to provide secured acces to a MySQL database. This is what I've
done. Firstly the relevant pages are in a folder to which Apache
requires password authentication. Then I have an HTML page with a form
to enter (MySQL) ID and password, which I POST to a PHP page which
tries to connect to the MySQL database, and if so starts a session...

$id = $_POST['ID'];
$pass=$_POST['password'];
if ($connect=mysql_pconnect("localhost",$id,$pass) )
{
session_start();
echo "Connected - using database 'test'<br>";
mysql_select_db("test");
$_SESSION["id"]=$id;
$_SESSION["password"]=$pass;
$_SESSION["start"]=time();
}
else
{
header("Location: http://127.0.0.1");
exit();
}

Subsequent PHP pages are like:

session_start();
$id=$_SESSION["id"];
$pass=$_SESSION["password"];
$start=$_SESSION["start"];
$duration = time()-$start;
if ($duration>10)
{
session_destroy();
header ("Location: http://127.0.0.1/timeout.htm");
exit();
}
$_session["start"]=time();

$connect=mysql_pconnect("localhost",$id,$pass);
$myQuery=...

Is this reasonably secure? What are the obvious holes? TIA

re: Noob security question

You probably would want to hash the passwords in the database (e.g.
with sha1) as well as use SSL to encrypt communications between the
browser and the server. PHP session security can be discussed at length
but some issues you should consider are session hijacking, session
fixation, cross-site scripting, cross-site forgery requests, etc.

re: Noob security question

Reread your question, and with regard to the mysql part of it, you can
place the db connection information in a separate file. Make sure you
validate/sanitize any input given by the user - use
mysql_real_escape_string along with your other input cleansing
functions.