Daniel Brown schreef:
A warrant about your example not being validated, will most likely not stop the OP from using this code as is, thereby subjecting himself to SQL injection.<? session_start(); if(!$_SESSION['user']) { if($_POST['user'] && $_POST['pass']) { // Keep in mind, PASSWORD has meaning in MySQL // Do your string sanitizing here // (e.g. - $user = mysql_real_escape_string($_POST['user']);) $sql = "SELECT * FROM users WHERE user='".$user."' AND pass='".$pass."' LIMIT 0,1;"; $result = mysql_query($sql) or die("Wrong data supplied or database error"); while($row = mysql_fetch_array($result)) { $_SESSION['user'] = $row['user']; // Do whatever else you need to do here.... } } else { // Show your login form here. } } else { // The user is authenticated and logged in already. } ?>Keep in mind that, as always, this hasn't been bug-checked, re-read, or otherwise validated.
And all it needed was mysql_real_escape_string() in there. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
