here is the simple authentication script
Code: Select all
<?php
session_start;
if (isset($_POST['submitted'])) {
require_once ('../../../mysql_connect.php');
include ('../includes/functions.php');
$username = escape_data($_POST['user']);
$password = md5(escape_data($_POST['password']));
$authenticate = "SELECT username
FROM
user_accounts
WHERE
username = '$username'
AND
password = '$password'";
$result = mysql_query ($authenticate) or die(mysql_error());
if (mysql_num_rows($result) == 1)
{
$_SESSION['USER'] = mysql_fetch_row($result) ;
header("Location: ../pages/index.html");
// header("Location: {$_SERVER['HTTP_REFERER']}");
exit;
//var_dump($_SESSION['USER']);
//die ($authenticate);
} else { echo'Invalid username and/ or password, <br>
Please try again.' ; }
}
include ('../includes/header_footer/header.inc.htm');
echo'
<form action="log_in.php" method="post">
<table class="frame" cellpadding="8" >
<tr>
<td align="right" >
Username<input name="user" type="text" size="14" maxlength="12">
<br />
Password<input name="password" type="password" size="14" maxlength="16">
<br />
<input name="enter" type="submit" value="Enter" />
</td>
</tr>
<input name="submitted" type="hidden" />
</table>
</form>
' ;
include ('../includes/header_footer/footer.inc.htm');
?>
the problem I'm having is that in the first line or so of all my other scripts I'm putting this:
Code: Select all
<?php
session_start();
if (isset($_SESSION['USER'])) {
// my script
else { header("Location: ../authentication/log_in.php");}
?>
Any advice and / or criticism is greatly appreciated.
let me know if there is any obvious security blunders (this will be hosted on a secure site).
Thank you so much.