Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Who hasn't had to figure out creating a secure login before? When I first undertook the task, I found it quite daunting. So, I hope that I can help you at least get started down the right path with the following tutorial. Comments, criticisms, and additions are welcome. Just let me know.
I don't discuss much about _why_ you need to take steps. This old thread (which I decided not to bump) does go into that a little bit. So if you don't understand a step or two, check that out. I am going to quote one bit from it though: Before you get started, you should realize that these steps are sufficient for anything as sensitive up to (and maybe including) a webmail system. Anything involving monetary transactions MUST take further steps which go beyond the scope of this article.
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 16
Warning: Cannot modify header information - headers already sent by (output started at /home/chalks71/public_html/logreg_tut/demo/back/login.php:16) in /home/chalks71/public_html/logreg_tut/demo/back/login.php on line 123
Also, session_regenerate_id() after login, some server configurations may allow session fixation attacks.
How did you manage to get an array passed to that? The only thing I can think of is if you manually edited the form that was submitted, but if you're doing that... the form submission _should_ fail (though perhaps more gracefully).
Edit: also, best way to prevent session fixation would be to... change sid when users log in? Could easily do that by setting the sid to be some hash of the username + some random characters. Edit of edit: oh, I see what you mean. Yep, will definitely update the code to your suggestion. Thanks!