Check the logo credentials and store the id of the user in a session
Code: Select all
<?php
include("con.php");
session_start();
$user = mysql_real_escape_string($_POST['user']);
$password = md5($_POST['password']);
$sql_check = "SELECT id
from users where
username = '$user' and
password = '$password'";
$result = mysql_query($sql_check); // trigger_error ('Query failed: '. mysql error());
if (mysql_num_rows($result) !=1)
{
header('Location: log.php'); // re-direct the user to the login page
}
else
{
$id = mysql_result($result,0);
$_SESSION['id_user'] = $id;
header('Location: welcome.php'); // enter the site
}
?>
Code: Select all
<?php
session_start();
if (is_null($_SESSION["id_user"])){
header('Location: log.php');
}Then I use the id stored in the session to read/edit various information .
It works but I have been reading quite a lot on this forum about this subject and it seems my approach is not too safe and a better way would be:
1. If the user/password match what is stored in the database save the ID of the user , Session ID and IP of the computer in the database.
For the Session ID I would use $_COOKIE["PHPSESSID"]
For the IP I would use the example found here http://wiki.jumba.com.au/wiki/Get_user_IP_Address_(PHP)
2. On each page do additional checks beside
Code: Select all
if (is_null($_SESSION["id_user"])- retrieve Session ID and IP for the $_SESSION["id_user"] from the db
- get again $_COOKIE["PHPSESSID"] and IP and compare with the values retieved from the db
I understand that in the case of a dynamic IP this would cause a problem as users would be disconnected but somehow I am willing to take this risk.
Any thoughts about this approach ?
Thanks,