Hi, I had a question on user authentication/member accounts.
I have built a MySQL database with users and passwords, and I wrote this
code:
<html>
<head><title>LOGIN IN PROGRESS</title></head>
<?php
mysql_connect(HOST, USER, PASS);
mysql_select_db(DB);
<body bgcolor = "white">
<h2>PLEASE LOG IN</h2>
<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="User" size=10></td><tr>
<td>Password:</td><td><input type="password" name="Pass" size=10></td><tr>
<td> </td><td><input type="submit" name="submit" value="Log In"></td>
</table></form>
<?php
if ($submit) {
$result=mysql_query("select * from Users where User='$User'") or die
("cant do it");
while ($row=mysql_fetch_array($result)) {
if ($row["Pass"]==$Pass) {
printf("Successfully Logged In!<a href=\"about.php\">Click Here</a>");
}
So this will work it regonizes a real user vs. a fake on I do. But I don't
understand whats to stop someone from directly linking to a protected
page? For example why couldn't someone just go directly to
...../about.php.
Does this make sense? Should I have the login form in one file and the php
script in another? Do I need to check the http header somehow to see if
they have logged in?
Thanks.
-Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
