Hi everyone.
I had to build a login script to authenticate users because i couldn't find one out there that would tailor my needs. It works great, but i just want to make sure it looks strong enough.
Pretty much, once a user is authenticated, it pulls further data based on the user that will be used for further security within the webpage (like a series of if statements). Depending on a persons department, security level, posistion etc, certain access or even menus will be available to the user. Like i said, it works wonderfully, but just need to ensure the code is good:
[PHP]
<?php
session_start();
if ($_SESSION["logged_in"] == "false" OR $_SESSION["logged_in"] == "") {
$db = mysql_connect('localhost', 'user', 'pass') or die("Couldn't connect to the database.");
mysql_select_db('networks') or die("Couldn't select the database");
$_POST['user'] = addslashes($_POST['user']);
$_POST['pass'] = md5($_POST['pass']);
$result = mysql_query("SELECT count(id) FROM username WHERE password='$_POST[pass]' AND UID='$_POST[user]'") or die("Couldn't query the user-database.");
$num = mysql_result($result, 0);
if (!$num) {
$_SESSION["logged_in"] = "false";
} else {
$_SESSION["logged_in"] = "true";
$web_user = $_POST[user];
$web_pass = $_POST[pass];
$_SESSION["web_user"] = $_POST[user];
$_SESSION["web_pass"] = $_POST[pass];
if ($remember_me == "true") {
$time_expire = time()+5184000;
setcookie("web_user", $_SESSION["web_user"], $time_expire);
setcookie("uid_save", "true", $time_expire);
} else {
setcookie("web_user", $_SESSION["web_user"], time()-3600);
setcookie("uid_save", "true", time()-3600);
}
}
} else {
$web_user = $_SESSION["web_user"];
$web_pass = $_SESSION["web_pass"];
}
if ($logout == "true") {
$_SESSION["logged_in"] = "false";
$web_user = "";
$web_pass = "";
$logout = "done";
}
if ($_SESSION["logged_in"] == "true") {
include 'includes/config.inc';
include 'includes/db.inc';
$cid = mysql_connect($host,$usr,$pwd);
$SQL = " SELECT * FROM table WHERE UID = '$web_user' AND web_pass = '$web_pass' ";
$retid = mysql_db_query($db, $SQL, $cid);
while ($row = mysql_fetch_array($retid)) {
$fname = $row["fname"];
$position = $row["position"];
$pname = $row["pname"];
$email = $row["email"];
$email_pass = $row["email_pass"];
$homenum = $row["homenum"];
$position = $row["position"];
$position_ab = $row["position_ab"];
$class = $row["class"];
$security = $row["security"];
}
}
?>
[/PHP]
I also noticed that i need to change the db.inc to db.php cause anyone surfing to http://site.com/inc/db.inc can see the SQL credentials... any comments on that one? heh.
Thanks for the help!
(this place is great!)