Well, what I would suggest is you log them in once, then set a session
variable such that $_SESSION["login"] = true;

Then at the top of each page, just check if they're logged in or not. 
  if( !$login ) { Header("Location: ".$LOGINPAGE."\n\n"); exit; }

No hit to the db for every page.
If you're in the good habbit of using a "require()" file at the header,
you can put that in there, so all those pages are protected instantly
and it makes it easy to tweak.

However, if security is really a concern, I would choose to let Apache
deal with that. Plus the nice thing is that with the .htaccess (or
better yet, the httpd.conf <Directory>) you are guaranteed that all
subdirectories and files are protected too. Another little detail is
that a user can bookmark a page, and get back to it easily. My method
above would require you "remembering" the page they
requested->login->jump back to the page. I dunno. I have nothing to base
this on, but I feel 'safer' with private areas being protected by the
server rather than any code I could come up with. :)


"A good friend will come and bail you out of jail...but a true friend
will be sitting next to you in the holding cell, laughing and saying
-'That was fucking awesome!'" 

> -----Original Message-----
> From: Sarah Gray [mailto:sarah@;fabled.net] 
> Sent: Monday, October 28, 2002 8:52 PM
> Subject: [PHP-DB] The Ethics and Access of Login
> list, 
> I have been using .htaccess pages formatted to read 
> username/password from a mysql database, and they work fine.  
> But I'm wondering, wouldn't it be simpler to simply write a 
> script that checks a database itself, and, if it finds the 
> username, goes on to the next action; and if it doesn't find 
> the member, shuts them out? This seems so simple that I am 
> sure there are good arguments against it.  Am I right? 
> The idea, in simple terms, is a login form that calls a php 
> script which checks the id of the username in the form 
> against a database, and then the appropriate action following 
> their acceptance. 

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to