Just a quickie guys, I'm making a login script (only college level) where I've got a page to process the username and password submitted using POST. I'm trying to set up an sql query that looks something like below (very roughly). Is it right to include the variables in the query like I've done? I've tried w3schools but can't seem to find my scenario.
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "select * from users where user=$user and pass=$pass";
It would then go on to ask if any rows were returned (thus proving the username and password matched) to set a session for the username and redirect to the 'success' page, or else give an error that the username and password were wrong. Does that sound about right?
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "select * from users where user=$user and pass=$pass";
It would then go on to ask if any rows were returned (thus proving the username and password matched) to set a session for the username and redirect to the 'success' page, or else give an error that the username and password were wrong. Does that sound about right?