I have the code:
if ($usernamelogin == $dbusername && $passwordlogin == $dbpassword)
{
$hash = md5(time());
mysqli_query($connection, "UPDATE users SET sessionid='$hash' WHERE username='$usernamelogin' AND password='$passwordlogin'");
$_SESSION['id'] = $hash;
$_SESSION['un'] = $usernamelogin;
}
else
{
echo ('Wrong username or password.');
}
I'm then using $sessionid, the SQL sessionid, and the usernames to verify if a user is real. This means that, assuming I have protection against an SQL injection, there are relatively few security risks, right?
I came here to ask, because this seems like an overly simple solution to a complex problem. All of the documents and websites I've been to have implemented much more complex, confusing, and sometimes insecure methods of verifying if a user is logged in.
Is this secure?