I welcome any comments on this
Code: Select all
<?php
if (!isset($_SESSION)) { session_start(); }
/// Quote variable to make safe-from mysql site
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
//Connect database.
$host="localhost"; // Host name.
$db_user="mysqltv"; // MySQL username.
$db_password="pass"; // MySQL password.
$database="users"; // Database name.
$link = mysql_connect($host,$db_user,$db_password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db($database);//should there be some sort of error checking here?
// Make a safe query
$query = sprintf("SELECT * FROM member WHERE username=%s AND password=md5(%s)",
quote_smart($_POST['username']),
quote_smart($_POST['password']));
$result = mysql_query($query);
if(!mysql_num_rows($result)){
//wrong username or password
header("location:register.html");//send them to the register page.
die;
}
//I want to put the sessid in the database for the user
session_start();
session_register($_POST['username']); // Craete session username.
$sessionID = session_id( );
$query = "UPDATE member set session = '$sessionID' where username = '$_POST[username]' ";
$result = mysql_query($query);
//get the ip address
$ip=$_SERVER['REMOTE_ADDR'];
$query = "UPDATE member set ip = '$ip' where username = '$_POST[username]' ";
$result = mysql_query($query);
header("location:lgwk.html");//send them to the good page.
//from the mysql site it seemed like this was good practice.
mysql_close($link);
?>thanks[/syntax]