ichidan wrote:Can the client also just download mypage.php and look thru all of my code, rip it, and use it to find out say any passwords I'm using.
No. If your web server is parsing the files correctly, then the PHP code never reaches the visitor's computer.
ichidan wrote:If I was making a bulletin board system of some sort, and I had a list of accounts & passwords in a file e.g.
Don't store passwords in a text file unless it's outside of the document root. For that mater, never store passwords in plaintext. Always encrypt them in an un-encryptable format like md5 or MySQL's PASSWORD() function and then check the password users enter at login by encrypting it also and checking the encrypted strings against eachother. This will protect your users' passwords even in the event that a hacker gains access to root. And even from you.
ichidan wrote:chmod'ed to 700 (only owner has full access, groups/public have nothing)
This'll help too.
Your login code is pretty conventional and doesn't contain any significant holes. However, unless you're a control freak like me, I usually recommend against reinventing the wheel. I recommend going out there and find a highly-rated PHP user/authentication system that fits your needs. Or ask around here for recommendations, though most will probably just refer you to Google as I have.