Hi Nicholas Diaz

I have looked at your suggestion for a script and I have put below what I feel is a better method for controlling the login issue, it is simplified as well as that it is sanitizing inputs as well with the addition of a sanitization script that I have tweaked slightly and was originally from stack overflow.

You should note that any password should never be stored in a database in its RAW format but as a HASH value, this hash value can be MD5 or SHA1, in my example I use MD5

I suggest a use of an error.php script to handle any errors that you may want to have reported, handy if you are suppressing errors. This will be up to the individual to decide on how to progress with this


Code:
<?php
// we secure this script by testing if a session variable has been set prior to its call
if( !isset( $_SESSION ) ) header("Location:error.php?e=404");

  // if we do not make a connection then go to the error.php with the error found
  $connection = mysql_connect("localhost","root","") or false
  if(!$connection) header("Location:error.php?e=noconnect");
  
  // if we connect but can not select the database then goto error.php with the error
  $ok = mysql_select_db("elite_kenpo") or false;
  if(!$ok ) header("Location:error.php?e=nodb"); 

?>
If the database connect.php script is called directly then it will result in invoking the error.php script (not supplied) and you can mimic or get the server to force a 404 error which is "Not Found" so that then fools any snoopers.


Code:
<?php // save as sanitize.php
if( !isset( $_SESSION ) ) header("Location:error.php?e=404");
function sanitize($data) {
	// remove whitespaces (not a must though)
	$data = trim($data);
 
	// apply stripslashes if magic_quotes_gpc is enabled
	if(get_magic_quotes_gpc()) $data = stripslashes($data);
 
	// a mySQL connection is required before using this function
	return mysql_real_escape_string($data);
}
?>
Again, if the sanitize.php script is called outside of a session it gets the 404 treatment.

Code:
<?php 
session_start(); 
error_reporting(0);

// is the $_POST variable set? this if set indicates that the POST VARIABLE has data
if ( isset($_POST) ) {
	// load up the sanitize and database connection script
	include("sanitize.php");	
	include ("connect.php") ;
	
	// create a query string and sanitize the inputs 
	$query = sprintf("SELECT * FROM `members` WHERE username='%s' AND password='%s' LIMIT 1;--",
. sanitize($_POST['username']), md5(sanitize($_POST['password'])) );
	
	// get any results
	$result = mysql_query($query);

	// if the number of rows returned is greater than zero then we have a match
	if( mysql_num_rows($query)>0){
		// fetch the user details to set the session variable
		$user = mysql_fetch_assoc($result);
		
		// set the session variable
		$_SESSION['username']=$user['username'];
		
		// now go to a different location...
		header("Location:private.php");
	
	}else{
		// if not, then we go to a login failed page 
		header("Location:error.php?e=failedlogin"); 
	}
}
Any user in the database should be unique and therefore setting the parameters in the query to pull only one row that matches, the inputs are cleaned then the query cleaned for the SQL query to run. Any results then the row is pulled and then the session set from that result. Validation and checking has been done via a database query, you don't really need to do any checking if $_POST variable matches a particular user because if a user exists, they are called from the database, if the database returns no result then that user does not exist and can be dealt with accordingly.

It is possible to make this process shorter but I am not going to go that far, it is enough to say that sanitizing is easily implemented and understood, you will find complicated scripts that try to over do things so keep it simple stupid (KISS) is best option.