PHP MD5 Secure login script.

In the verifier.php I see a problem here:<p><pre><code> $uid=$_COOKIE['uid']; $uname=$_COOKIE['uname']; $sql="SELECT * FROM users WHERE username='$uname'"; </code></pre> The $uname is set from the value of 'uname' in the $_COOKIE array, but I see no input validation here.<p>If I were an evil attacker, I could send arbitrary cookie data to the server, it would end up in the $_COOKIE superglobal. If I include some SQL code, ... All input is evil!<p>Later, in the welcome.php the $_COOKIE['uname'] is echoed without any escapes.

Use mysql_real_escape_string() instead of addslashes(). And the cookie contents can't be trusted. The usual way to do this is with a server-side session, but if a cookie is used the user id and name have to be protected; MD5 can be used to do that, too.

why are you adding slashes to the password before converting it into md5? even if they have ' in the password the md5 would get rid of it when you use it in the query.

Please add some salt to your password.

DO NOT USE THIS CODE !