Hey there.
How does this piece of code look? I'm trying to slap something together i can stick at the top of my pages to require people to log in to access them.
$uname and $passw are variables submitted to the page via a form. The functions db_connect() and db_query() are properly defined and connect to a database, and feed a query to a database, respectivly.
// authenticate
if ((isset($passw)) && (isset(uname))) {
// connect to the database where users are stored
$db_conn_pnt = db_connect($db_host, $db_user_pass, $db_user_uname, $db_name);
// build & execute query
$db_query_str = "SELECT fname, lname FROM $db_tbl_stu WHERE uname = '$uname' AND passw = '$passw'";
$db_query_pnt = db_query($db_query_str, $db_conn_pnt);
// how many rows in the users table match the uname/passw combo?
$db_rows_match_pnt = mysql_numrows($db_query_pnt, $db_conn_pnt);
if ($db_rows_match_pnt == 1) {
// start a session & register the uname and passw variables
session_start();
session_register('uname', 'passw');
} else {
session_unset();
session_destroy();
}
}
both the $uname and $passw variables, as you can see, will be sent via a session to each "secured" page and reverified each time. Though i havn't included it here, i plan to md5() the $passw.
How does this look from a security standpoint? Will it be able to protect my pages? - this is really the first time i've tried to "protect" stuff.
Thanks in advance
--ben
