Help with writing a login with Sessions

Hey Everyone, I really could use some help with this code, I am trying to write it so it stores a session and doesn't pass the AdminID in the url after login, and I keep getting stuck because it isn't passing it to the other pages, so nothing is loading, login, get a blank page...
Here is the code:

Code:

<?php 
session_start();
include("inc/dbconn_open.php") ;

if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';}

$msg = '';

if (!empty($UserName)) {

    $sql = "SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'";
    $result = mysql_query ($sql);
$row = mysql_fetch_object ($result);

If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "OK";
header ("Location: Main.php?AdminID=". $row->AdminID);  <---how can I mask this or   make it work without showing the AdminID?

} else {
$msg = "Invalid Login";
}
}

?>

Thanks in advance!!

[Free WordPress Themes]

Check one of these projects:
http://phpuserclass.com/
http://www.finalwebsites.com/snippets.php?id=10

Thanks I will check those out.  Before you posted I kind of figured something out by changing my code to this:

Code:

<?php 
session_start();
include("inc/dbconn_open.php") ;

if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';}

$msg = '';

if (!empty($UserName)) {

    $sql = "SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'";
    $result = mysql_query ($sql);
$row = mysql_fetch_object ($result);

If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "OK";
header ("Location: Main.php?AdminID=". $_SESSION['AdminLogin']); <--now it says OK in the url....

} else {
$msg = "Invalid Login";
}
}

?>

Not sure if this is a real fix -- this is for a backend Intranet app, I was thinking now I may look up how to make that "OK" get masked into some random 5 digit number or something more mysterious so when the Art Dept guys get bored and attempt to break into it , this time it will be harder-- that is the reason having the AdminID in the URL became a problem...bored Art Dept...Oi...
So I am guessing I have to figure out how to use MD5 ? on the "OK"

[Free WordPress Themes]

if you declared a session variable, it's not necessary to pass the values via the query string

  hmm I thought I was declaring _SESSION = AdminLogin
guess I need to read the tutorial on it again?

[Free WordPress Themes]

if you have:

$_SESSION['some_var'] = 'yes'

in file script.php

you the same variable in script2.php

if you call session_start();

[Free WordPress Themes]

btw. your code is not safe (mysql injection risks) never use that snippet for production

I had tried that but then it just wouldn't pass to the next page, so when you logged in on page1.php and clicked login instead of going to page2.php it just kept reloading page1.php again...

[Free WordPress Themes]

I had tried that but then it just wouldn't pass to the next page, so when you logged in on page1.php and clicked login instead of going to page2.php it just kept reloading page1.php again...

in that case your code on page 2 is not fine

[Join us @ facebook]

You should have the session_start() command in the beginning of both your php files before any output. Also as Olaf mentioned you have sql injection security problem witch can give full control over your database. Another tiny thing is that you should use full urls in location headers.

So this:

header('Location: Main.php');?>

will become :

header('Location: http://somesite.com/Main.php');?>

[Guest]

[59.833]

adsense, froz, shaunshenker, alexabc123fgh