first of all, thanks for your time. Like the subject says... i'm doing a login page, but every search send me to the same code:
use posted user & pass
connect to mysql
search for the user & pass posted
if returns records then ok
else bad access
but i'm doing this way (and i hope some one can tell me if i'm doing it wrong and why)
session_start();
$user=$_POST['user'];
$pass=$_POST['password'];
$link=mysql_connect('localhost',$user,$pass);
if(!link){
echo "Access denied";
}else{
echo "Access OK";
$_SESSION['user']=$user;
$_SESSION['password']=$password;
}
And each time i need to verify if user is logged in, i do the same connecting to mysql. Is there here the posibility of code injection? (Like Sql Injection, PHP script or anything else) Is this a bad practice? is there any risk?
BTW, this works fine for me but i want to put it on internet and i don't want to be hacked. Thanks