[noize]

Too much things to this small system, and it isnt secure.

This is a really old script from me. I really knew nothing about PHP at the time. Would you mind explaining how this is not secure, though?

What I think he means is that mysql_* functions aren't considered secure anymore. Also, I think you have an SQL injection there because:

See the first and last line:
When users log-in, the $_SESSION['username'] variable is set with unescaped data:

Code:

$username = $_POST['user'];
        $password = $_POST['pass'];        
        $conn = mysql_connect($dbhost,$dbuser,$dbpass) or die ('Error connecting to mysql');
        mysql_select_db($dbname);
        $query = sprintf("SELECT COUNT(id) FROM users WHERE UPPER(username) = UPPER('%s') AND password='%s'",
            mysql_real_escape_string($username),
            mysql_real_escape_string(($password)));
        $result = mysql_query($query);
        list($count) = mysql_fetch_row($result);
        if($count == 1) { // if we found the user/pass combination
            $_SESSION['authenticated'] = true;
            $_SESSION['username'] = $username;

And later on, when you check for privileges, you use the value in $_SESSION['username'] directly in your query:

Code:

// else, if he's logged in, we retrieve his privilege level and set it to the
// variable $is_admin, so we could use it in all pages where this is required

$username = $_SESSION['username'];
$result = mysql_query("SELECT * from users WHERE username='$username'");
$row = mysql_fetch_array($result);
$is_admin = $row['is_admin'];

Long eye, lol. However, this system does not even inform the user if he uses unaccepted characters in the username in the signup (and in the login as well) form, so that he might think his username is A while it is B. This all should be thoroughly rewritten.