Hallo.

Ich habe folgendes Loginsystem:
// Login-Formular:

<form method='post' action='loginskript.php'>
Benutzer/ID:<input name='user' type='text'/>
Passwort:<input name='pw' type='password'/>
<input value='Login' type='submit' name='Login'/>
</form>

// Loginskript:
session_start();
$host=xxx;
$user=xxx;
$pw=xxx;
$c=mysql_connect($host,$user,$pw);
mysql_select_db('name',$c);
if(!$_POST['user']||$_POST['user']=='') {
  header('Location: index.php?show=blank&action=lfailed&err=nonen');
}elseif(!$_POST['pw']||$_POST['pw']=='') {
      header('Location: index.php?show=blank&action=lfailed&err=nopen');
}

$nick=$_POST['user'];
$pw=$_POST['pw'];

$query="
SELECT user,pwd,xxxxxx,userid FROM xxx1 WHERE user='$nick'
";
$num=mysql_query($query,$c) or die (mysql_error());
$row = mysql_fetch_array($num);
$r_name = $row["user"];
$r_pw = $row["pwd"];
$r_branche = $row["xxxxxx"];
$r_uid = $row["userid"];
$_SESSION["user_id"] = $r_uid;
$_SESSION["user_nickname"] = $r_name;
$_SESSION["user_nachname"] = $r_xxxxxx;
$_SESSION['IP']=$_SERVER['REMOTE_ADDR'];

header("Location: online.php");

// online.php
session_start ();
if(!isset ($_SESSION["user_id"])){
 header ("Location: index.php?show=start");
 die();
}elseif($_SESSION['IP'] != $_SERVER['REMOTE_ADDR']) {
 header ("Location: index.php?show=start");
 die();
}

Beim Login Formular werden nur folgende Zeichen zugelassen:
0-9,a-z,A-Z,_,-

Das ganez Funktioniert. Aber ist es sicher genug? Was kann ich noch tun?

Schönen Tag noch

Peter Strucks