--- Jeff McKeon <[EMAIL PROTECTED]> wrote: > Well both variables $userid and $userpassword are bounced off of a > user database table, if the username/password don't match then the > session variables are cleared with a session_destroy() call. Is that > a good enough validation?
Yes, as long as you realize that you have now shifted the trust to those values in the database. As long as there is no way for a user to inject malicious code during the registration process (or however the username and password end up in the database), then that part should be fine. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php