Sounds like you either need to use an existing content management system or framework or learn to code in a modular drop-in fashion. Coding it for modularity would mean that the included script can be left out and the page still function as usual.
I'll post an example in a bit.
Just looked at your code. The index page is insecure. Do not do it like that. I could do something nasty like index.php?p=../../../whateverfile and try to include it from outside of /inc/. You need some sort of protection against user input. Something like an array specifying valid files to include to check against, or a db table containing valid files to include that it can check against.
edit
Also, never ever store the password in a cookie. You should generate a unique key or something for the login and store it and check against it instead of the password.
Here's what you'd want to do: Split the login file up into checking logic and presentation. Once you do that it means that the checking logic can be included anywhere on the page, while the form itself can also be placed anywhere.
Here's a little example:
loginCheck.php
if(isset($_POST['login']))
{
if(!$_POST['username'] || strlen($_POST['username']) <= 3 || strlen($_POST['username']) >= 20) //Check user input for validity
{
$loginerror['username'] = "Username is required. Must be between 3 and 20 characters long.";
}
if(!$_POST['password'])
{
$loginerror['password'] = "Password is required.";
}
if(count($loginerror) == 0)
{
$username = mysql_real_escape_string(trim($_POST['username'])); //Do whatever to the user input
$password = mysql_reql_escape_string(trim($_POST['password']));
$sql = mysql_query("SELECT `username`,`password`,`etc` FROM `users` WHERE `username` = '$username' AND `password` = '$password' LIMIT 1"); //Select both at the same time
if(mysql_num_rows($sql) == 0)
{
$loginerror['login'] = "Username or Password incorrect or does not exist."; //It's smart not to let people know which they got wrong.
}
else
{
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = true;
$loginmessage = 'Welcome ' . $username. ', you are successfully logged in';
}
}
}
loginForm.php
function dispError($name,&$errors)
{
if(isset($errors[$name]))
{
return '<span class="error">' . $errors[$name] . '</span>';
}
return '';
}
if(isset($loginmessage))
{
echo $loginmessage;
}
elseif(isset($_SESSION['username']) && isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true)
{
echo 'Welcome, ' . $_SESSION['username'];
}
else
{
if(!isset($loginerror) || !is_array($loginerror))
{
$loginerror = array(); //Gotta make sure it exists for the next part if it hasn't been set.
}
echo dispError('login',$loginerror);
echo '<form method="post" action="">';
echo '<input name="username" placeholder="Username..." type="text" maxlength="15" />' . dispError('username',$loginerror) . '<br /><br />';
echo '<input name="password" placeholder="Password..." type="password" maxlength="20" />' . dispError('password',$loginerror) . '<br /><br />';
echo '<input name="login" type="submit" value="Login" style="width:100px;">';
echo '</form>';
}
index.php
if(isset($_POST['login']))
{
require_once("loginCheck.php");
}
//various other includes and requires
require_once("loginForm.php");
This way there's also no reason to redirect away from the login form/sign in page, as the checks can be easily included inline and both the form and the check can be included on any and all pages dynamically just by dropping it in where necessary.
