Ok, I am learning PHP/ mySQL and right now I am making a log-in system. I have made the Create User, and log in forms... and when you press log in it will open a .php page saying if the details match with the databases details. The problem is that I want to make a cookie which says that the person has logged on. I'm not really sure how to do this, But I tried to convert a PHP variable into a JavaScript one.... but it didnt work. Can anyone help me do this? This is the script so far:

<?php

$con = mysql_connect("******","******","******");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

$username = $_GET[usernamelogin];
$password = $_GET[passwordlogin];

mysql_select_db("******_users", $con);

$result = mysql_query("SELECT * FROM Users WHERE Username='$username'");

while($row = mysql_fetch_array($result))
{
if ($row['Password']=$password)
{
echo "You have logged in. </br>";
echo "<tr name=table>";
}
else
{
echo "Your username or password is incorrect.";
}
}

?>

<html>
<head>
<body>
Please wait...
</body>
</html>

I'm not exactly a genius with JavaScript, But I will understand any code you give to me

What you want is $_SESSION (http://www.php.net/manual/en/reserved.variables.session.php), so to set set logged in:

$_SESSION['loggedin'] = true;

Data stored in $_SESSION stays with the user but the user can't forge it- with a cookie they can forge it.

* * *

More importantly you should not use that code online. The code:

$result = mysql_query("SELECT * FROM Users WHERE Username='$username'");
is extremely insecure. Consider: what happens when the user enters the following as their username?

'; DROP TABLE Users;

The database receives the following query:
SELECT * FROM Users Where Username=''; DROP TABLE Users; '
MySQL will usually (this is a simplification) split the query into the two statements, the SELECT and the DROP. It will then execute both of them- so it will SELECT on Users, delete the Users table, and then give an error on the lone apostrophe.

This is called a SQL injection attack, since a user could (either maliciously or by accident) cause the MySQL server to execute code.

As a simple fix, you need to run $username through mysql_real_escape_string (http://www.php.net/manual/en/function.mysql-real-escape-string.php) before running mysql_query.

I would recommend getting a really good PHP book but unfortunately I've actually seen professionally published books (usually just the older ones) with these sorts of problems.

Sessions are one way to do it. PHP offers a session thing(I'm not going to call it a library -- it's not) built-in, and there are probably numerous others on the internet.
You can also send the username and password in a cookie(make sure you use some form of hashing and preferably with a salt), which works fine for some things.

But before you bother with PHP, consider using a practical programming language that you can use for all sorts of other things as well. I personally much like Perl; others may prefer Python, Ruby, or even Java.
PHP only does trivial things with lots of effort, and you will have to learn an extra language if you choose to do anything else.
That's just me, though, you should use whatever suits you best.

Thanks for the feedback! I will defiantly consider making a validation to make sure that the user doesnt type in phrases which could delete the databases. (Should I make it so that you can't use a ; sign?)

Thanks for the feedback! I will defiantly consider making a validation to make sure that the user doesnt type in phrases which could delete the databases. (Should I make it so that you can't use a ; sign?)

That's not enough - you need to use mysql_real_escape_string as I linked above. Users can still enter single apostrophes which can cause problems. With mysql_real_escape_string you don't have to worry if a user entered a quote or a backslash, it allow them to be safely sent to the database.

If a user enters a username of

John Doe ' woof

The mysql server will get confused on the word "woof" because as far as MySQL knows "woof" is outside of the string it's supposed to compare the username to.

mysql_real_escape_string escapes single apostrophes and some other "bad characters" (like double quotes,) so

'

becomes

\'

The MySQL server knows to treat \' as just a single apostrophe rather than ending the string