How secure is this?

[JamesU2005]

Can any PHP experts take a look at my code and tell me how secure it is?

I realise it's not the cleanest of codes but it works.

<?php 

include 'database.php';


$AdminUsername = $_POST['adminusername']; 
$AdminPassword = $_POST['adminpasswordguess']; 



$AdminUser = mysql_real_escape_string($AdminUsername);

$AdminUserChar = str_replace(' ', '', $AdminUser);

$AdminClear = preg_replace("/[^a-zA-Z0-9]/", "", $AdminUserChar);



$AdminPass = mysql_real_escape_string($AdminPassword);

$AdminPassChar = str_replace(' ', '', $AdminPass);

$AdminPassClear = preg_replace("/[^a-zA-Z0-9]/", "", $AdminPassChar);


$query = "SELECT adminid, adminusername, adminpassword FROM admin WHERE adminusername = 'AdminClear' AND adminpassword = '$AdminPassClear'"; 
$result = mysql_query($query);
 
$row = mysql_fetch_array($result);

$AdminID = $row["adminid"]; 

if (mysql_num_rows($result) != 1) {
    header("Location: wrongpassword.php");

} else {
	session_start();
    $_SESSION['adminusername'] = "$AdminUsername";
	$_SESSION['adminuserid'] = "$AdminID";
	$_SESSION['AdminAuthorised'] = "Y";
    include "adminindex.php";
}

?>

and then this at the top of everypage:

<?php
session_start();
if ($_SESSION['AdminAuthorised'] != "Y")		
	header("Location: notauthorised.php");?>

 

[JamesU2005]

Thanks for the replies.

It's just a login system to be used be one person for a mini-CMS I made.

I've not "hased" password because there's only one person that can login but I may do it if you think I should.

Is there anyway that someone could get round my code and login? That's what I want to know.

 

[JamesU2005]

Right ok so without hashing the login is safe BUT if the hacker gains access via some other means on the server, it would be compromised without hashing?

 

[JamesU2005]

holy overcooking of php batman!!

you can achieve that in far fewer lines and far more securely.

Explain then?

You could encrypt parts of the cookie too.

Do you have a link or tutorial?