StarLion,
I tried to find about the “IE submit bug” that you mention. Is it a security risk? I have in my contract that I no longer support ie6, so am I off the hook unless it’s a security bug. Strangely I didn’t get much fuel querying Google for the obvious keywords (with/without quotes)…
It’s not a security bug - IE has the bad habit that if you hit the enter key to submit your form, rather than push the button, it wont send the button’s value through the form.
Thanks you for that, StarLion, I will look into that. (So you are saying this is one way to get that E_WARNING, you were talking about. Is that so bad? If I were the user, I would refresh and fill out again. I don’t see any way to prevent this, other than ditch Kevin’s elegant multi-purpose pattern).
In the meantime, I am happy to say that I have a system that works (your easy suggestion was all that I needed). 
Now, in addressing security issues, I will implement SHA2 encryption, and “sanitize” my form inputs(do you have any favorite techniques?). (I will also move my final includes to a secure path (above the document root, with privileges 644). My sessions directory is already in same location, 644).
Is there anything else that would need to be done in terms of my queries to make this thing (at least 9mm) bullet-proof?
I decided to go with:
$sql = "SELECT usertype,userid,password,fullname FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
for my main sql query. Password issue aside, are there any security problems with this system that might need tweaking?
You should always design your scripts so the user wouldn’t have to refresh and fill it out again. Some people won’t like that and will leave your site behind.
The partial script I posted above will prevent the E_WARNING from happening.
$uid = '';
if( isset($_POST['uid']) ) {
$uid = $_POST['uid'];
}
elseif ( isset( $_SESSION['uid'] ) ) {
$uid = $_SESSION['uid'];
}
This won’t generate the E_WARNING.