Fat Bloke wrote:
> This is what I use - is it best practice?

Very much not so.

> <?
> $TableName="auth_users";
> $Query="SELECT * FROM $TableName WHERE username=\"$username\" and
> password=password(\"$password\")";

1. I'm assuming you're using $username and $password as the user's
input, which means that you have register_globals set to On, which is a
high security risk. See http://www.php.net/register_globals for why this
is a Bad Thing.

2. Your passwords aren't encrypted in the database.

3. You aren't validating the contents of $username and $password, so you
are vulnerable to SQL injection. Use mysql_real_escape_string(). See
http://www.php.net/mysql_real_escape_string.

4. You have no check to ensure that $username and $password actually
exist. What if the user has typed in the URL of the log-in page directly
without using a form?

> $Result=mysql_db_query ($DBName, $Query, $Link);
> $num=mysql_num_rows($Result);
> if ($num==0)
> {
> header("location: logon.php");
> exit();
> }
> else
> {
> session_start();
> session_register('valid');
> $valid="yes";
> }

It is highly recommended that you use $_SESSION instead of
session_register() et al. Mainly because of the register_globals thing.
Think about it, now someone can just go to one of your pages with
"?valid=yes" appended to the URL, and the script will assume they're
logged in.

>
> and the start of the header file included in all the other files being -
> <?
> session_start();
> if ($valid =="results")
> {
> header( "Location: onwards_into_the_files" );
> }
> if ($valid !=="yes")
> {
> header( "Location: logon.php" );
> exit();
> }
>


--
Oli