Daniel Brown schreef:
<?
session_start();
if(!$_SESSION['user']) {
if($_POST['user'] && $_POST['pass']) { // Keep in mind, PASSWORD
has meaning in MySQL
// Do your string sanitizing here
// (e.g. - $user = mysql_real_escape_string($_POST['user']);)
$sql = "SELECT * FROM users WHERE user='".$user."' AND
pass='".$pass."' LIMIT 0,1;";
$result = mysql_query($sql) or die("Wrong data supplied or
database error");
while($row = mysql_fetch_array($result)) {
$_SESSION['user'] = $row['user'];
// Do whatever else you need to do here....
}
} else {
// Show your login form here.
}
} else {
// The user is authenticated and logged in already.
}
?>
Keep in mind that, as always, this hasn't been bug-checked,
re-read, or otherwise validated.
A warrant about your example not being validated, will most likely not
stop the OP from using this code as is, thereby subjecting himself to
SQL injection.
And all it needed was mysql_real_escape_string() in there.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php