On 3/14/06, IG <php@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello.
>
> I got a password protected login script of t'internet a while back and
> have implemented it. I just want to make sure it is secure. I am aware
> that the password is stored directly in the database and I don't think
> this is a good thing. If the following could be looked at to see if
> there are any improvements I would be most grateful. The script is then
> called on each page that requires password protection thus-
Here's a fragment from my login routine:
if ( isset($_POST['s1']) )
{
$md5_pass = md5($_POST['p1']);
$u_user_id = db_format($_POST['u1']);
$q1 = "select * from users where u_user_id = '$u_user_id' and u_pass =
'$md5_pass' and u_appr = '1' ";
$r1 = mysql_query($q1) or db_error( $q1, mysql_error(), mysql_errno(),
__FILE__ );
$a1 = mysql_fetch_array($r1);
if ( mysql_num_rows($r1) == '1' )
{
$hostip = $_SERVER['REMOTE_ADDR'];
$_SESSION['sess_login_id'] = $a1['u_user_id'];
$_SESSION['sess_uid'] = $a1['u_id'];
$_SESSION['sess_email'] = $a1['u_email'];
