PHP lessons - simple login

A complete login form that checks given username/password combination and set $_SESSION['logged_in'] variable on success; Here is the SQL structure of the table users which you'll have to create via phpmyadmin for example:

CREATE TABLE IF NOT EXISTS `users` (
  `user_id` tinyint(5) NOT NULL AUTO_INCREMENT,
  `username` varchar(15) COLLATE latin1_general_ci NOT NULL,
  `password` varchar(15) COLLATE latin1_general_ci NOT NULL,
  PRIMARY KEY (`user_id`)
);

If you wish you can also add users via:
INSERT INTO `users` (`user_id`, `username`, `password`) VALUES (1, 'test', 'test');

Here is the whole working php code:

<?
$output     = "";
$login_form = '<form action="login_form.php" method="post">
<label for="username">Username:</label>
<input type="text" name="username" />
<label for="password">Password:</label>
<input type="text" name="password" />
<input type="submit" value="Login" name="login_submit"/>
</form>';

//check if user & password combination exist in database, returns false if otherwise
function check_login($username, $password)
{
    $dbhost = 'localhost';
    $dbuser = 'root';
    $dbpass = '';
    $dbname = 'cdcol';
    $link   = mysql_connect($dbhost, $dbuser, $dbpass);
    if (!$link) {
        die('Not connected : ' . mysql_error());
    }
    $db_selected = mysql_select_db($dbname, $link);
    if (!$db_selected) {
        die('Please change your database name : ' . mysql_error());
    }
    $sql = "select * from users where username='$username' and password ='$password' LIMIT 1";
    $result = mysql_query($sql) or die('Please change your mysql query !');
    $row = mysql_fetch_assoc($result);
    if (empty($row))
        return false;
    else
        return $row;
}


if (isset($_POST['login_submit'])) {
    $logged_in = false;
    if (empty($_POST['username']) or empty($_POST['password'])) {
        $output .= "Please enter username and password!<br />";
        $output .= $login_form;
    } else {
        $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); //filter input $_POST variables against mysql_injection
        $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
        if (check_login($username, $password)) {
            $cookie_path    = "/";
            $cookie_timeout = 3600; // set up cookie information in seconds
            session_set_cookie_params($cookie_timeout, $cookie_path);
            ini_set("session.gc_maxlifetime", "3600");
            ini_set("session.cache_expire", "180");
            ini_set('session.cookie_lifetime', "3600");
            session_start();
            session_regenerate_id(); //regenerate session_id against session fixing
            $_SESSION['logged_in'] = true;
            $output .= "You have successfuly logged in!";
        } else {
            $output .= "Wrong user or password <br />";
            $output .= $login_form;
        }
    }  
}

else
    $output .= $login_form;
echo $output;
?>

by Nevyan Neykov

---