Fourth, this "if ($_COOKIE['autologin'] == $row3['session_key'])" is redundant, since sets their cookie to "; drop database xxx" or whatever, you aren't screwed..