I have a login system, which works fine but the problem is that if someone finds out the page it redirects you to if you logged in correctly then people can bypass the login system altogether. So I'm trying to use sessions to prevent this and this is what I have for my "login.php" script:
<?php
$db = mysql_connect("localhost", "username", "password");
mysql_select_db("dbname", $db);
if($_POST['submit'] == "Login") {
$login = mysql_query("SELECT * FROM users WHERE username = $uname AND password = $passwd");
$num = mysql_num_rows($login);
if($num == 0) {
echo("Invalid user name and/or password. Please use your browsers back button and try logging in again.");
}
if($num == 1) {
session_start();
$valid_user = $uname;
$id = session_id();
$ip_address = $_SERVER['REMOTE_ADDR'];
session_register("valid_user");
session_register("id");
header("Location: /members2.php");
}
}
?>
What else do I need to add so that it verifies that the person is that person and they can't bypass the login page? Thanks! 🙂
