Untitled

<?php
//session_start();
/*
* To be able to login the following things need to be true
* correct username/password
* username must be validated
* username must not be marked as logged in?
*/
require_once("mysql.php");
mysqlConnect();
//checkCreds();

function checkCreds($user, $pass){
  //login
 //echo "User: $user Pass: $pass #";
  $result = mysql_query("SELECT * FROM user WHERE username = \"$user\"");
  $row = mysql_fetch_array($result);

  if ($row['password'] == $pass){ //correct password for the user
      $_SESSION['uName'] = $user;
      mysql_query("UPDATE user SET sessionID = \"".session_id()."\" WHERE username = $user");
      isLoggedIn($user);

  }else{//bad password
    isLoggedIn("");
  }
}


function isLoggedIn($uname){
	//if the user is logged in, then display a welcome message
	if ($uname == ""){
		//user is not logged in
		echo "<div id=\"login2\">";
		echo "<form action=\"serverside/login.php\" method=\"post\">";
		echo "Username: ";
		echo "<input type=\"text\" name=\"uname\" id=\"loginUname\" class=\"loginField\">";
		echo "Password: ";
		echo "<input type=\"password\" name=\"pass\" id=\"loginPass\" class=\"loginField\">";
		echo "<input type=\"button\" value=\"Submit\" onclick=\"mycatch()\" class=\"loginField\"/>";
		echo "</form>";
		echo "<a href=\"password.php\">Forgot your password?</a><br />";
		echo "<a href=\"register.php\">Register as a new user</a>";
		echo "</div>";
	}else{
		//TODO:
		//check that the username, and session id are correct
		//ie. upon logging in the db will store the (then) current session id
		//we can check that session id + name each time we send a page
		//will cost as an extra lookup, but is more secure (session cookie hasn't been messed with to trick us into thinking it's for a logged in user)

		echo "Welcome ".$uname;
	}
	//$ip= $_SERVER['REMOTE_ADDR'];
	//echo "<b>IP Address= $ip#</b>";
}
?>