if($_GET['logout'])

All you need to do is check if variable is set, so instead of the line above, put this:

if( isset($_GET['logout']) )

This should do it. Let me know.

I tested the scrip but i saw this error in the protected.php page

Notice: Undefined index: logout in C:\wamp\www\php_login\php_login\protected.php on line 19

Can you please help me?

I’m agree with Gigi, I using $_SESSION till now, then I read this post, the better idea is combine its.

You wanted me to share a better solution: store the userid in $_SESSION (or 0 if guest), on all pages which require a valid user check the $_SESSION. And, of course, prevent sql injections by making sure to sanitize any input to your script, don’t use register_globals, try reading about various php security tips and tricks, etc.

I’ve been programming for 12 years now, in a lot of languages, not only php and I can tell you from own experience that the syndrome “let’s find another (maybe clever) way to do something, totally different than everybody else is doing it” is very bad for business.
I’ve seen and worked with a lot of beginner developers which find on google various tutorials and examples (such as the example login you have here), don’t think for themselves and just copy+paste the code in their scripts and then are surprised that they get bad performance, bad security or plain old bad code… this is bad for the community, so if you want to HELP the community and beginners, explain WHY the proven methodology works, don’t waste time finding ‘clever ways’ to re-invent the wheel.

You said you’ve seen live sites where you could bypass login via some sql injection.. then you’ve witnessed the phenomenon i’m talking about: bad programming due to bad tutorials.
It’s very common (unfortunately) in the PHP world and that’s why java/c#/c++ developers sometimes look down at php developers saying they’re just some script kiddies… Of course, java/c# worlds have their own ’script kiddies’ but since many of them are making enterprise/desktop apps not everybody can see the results of their work, while php is being used for a lot of sites so it’s easier to discover the bad written ones.

Programming is a very difficult job and has nothing to do with the language in which you’re programming.

p.s.:
http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/ more info on REAL security issues with session.

As for the “problem” with $_SESSION, it’s quite simple: prevent SQL injection (you should do that anyway, i can’t imagine writing something in php without thinking of potential sql injections to that script) and no issue with $_SESSION.

And, yes, sometimes you shouldn’t do queries in your pages. We use memcached all-over the place.

Of course, i guess for “look mom, i made a php site with 500 visitors/month” php development your solution works too … :)

About the $_SESSION['some_variable'] situation, I’ve seen this. It goes like this: you have a login page and the user does an sql injection with your form. User input verification is not properly done and it validates. $_SESSION['some variable'] gets from false to true. All subsequent pages verify if the session variable is true and if it is grants access. So you have access to all pages even though you didn’t had a user. I repeat, I’ve seen this on live websites.