[RESOLVED] A few questions

Dvdbrink

SOLVED

wilku

The last question: when you compare some variables you have to use double equal sign ==. Single = means assignment.
As for your other questions, some things are unclear for me in your script:
- why you use SELECT * FROM users in login.php script? that way you display menu for every user on one page. Some WHERE clause is necessary to narrow the search to the logged in user.
- you include check_login.php at the end of your script. It would be better to include it first and then act if it accepted the credentials (or not).

Dvdbrink

Thanks for your reply.
I updated the codes.
- I already figured out that I had to use == instead of =.
- I changed 'SELECT * FROM users' to 'SELECT rank FROM users', that does norrow the info selected a bit. I tried to make a $SESSION['rank'], but I didn't get that working. Any tips?
- About including check_login.php, that doesn't matter anymore. I have managed to merge check_login.php into login.php. I figured that should be safer.
- And I'm wondering if I should change 'addslashes' to 'mysql_real_escape_string' in login.php here

if($_POST['login'])
{
    $username = addslashes($_POST['username']);

I know that 'mysql_real_escape_string' prevents sql injection, but I see people using 'addslashes' infront of the username $_POST in tutorials when loging in. I don't really get what 'addslashes' does.
I still have no clue on how I can make my member-system safer and how people can take advantage of a unsafe system.

dagon

mysql_real_escape_string always, addslashes does not protect against sql injection attacks, no matter how many people seem to think otherwise.

of course they could be right and i could be wrong - so make your own decision

Weedpacket

dagon wrote:
mysql_real_escape_string always, addslashes does not protect against sql injection attacks, no matter how many people seem to think otherwise.

Or use PDO and let the database driver worry about those things.