Embed Size (px)
Citation preview
8/6/2019 Php Sense
http://slidepdf.com/reader/full/php-sense 1/5
Home Tutorials and Articles PHP Resources About C ontact
Categories
PHP Basic s
PHP cURL
PHP Development
PHP Form Handling
PHP & MySQL
PHP Sessions
PHP Tips & Tricks
Related Articles
PHP Pagination Script
Prevent DuplicateForm Submission
PHP MySQL Basics Tutorial
Syndicate
RSS Feed
Atom Feed
PHP MySQL Login ScriptListed under PHP & MySQL
Login and user authentication is the most common feature in any dynamic website. Before we go any
further, Download the PHP Login Script. The zip file contains the c omplete PHP source c ode of our
authentication script and a SQL file to create and populate the required tables. Download the file, extract
its c ontents and run the SQL file to create the members table.
Update (14 Aug 2008): Moved database c onnection details to config.php file. Edit config.php file to s pecify
your own database connection details.
Update (05 Feb 2008): Fixed a bug in the regis tration form.
Update: A simple registration form has been added to the download package.
login-form.php page simply contains a form with two fields: login and password, and should be self-
explanatory in what it does. login-exec.php script is where all the action is.
PHP Tip : Always try to keep the form and the submission/action page separate. Unless
necessary, don’t make pages post information to themselves. I normally append “form” to
pages containing the form and append “exec” to the page which handles the submission. This makes the application easier to manage when the application logic gets more
complex.
Lets go through the code step by step. In the first few lines of login-exec.php, we simply start a session
and open a connection to mysql database.
PHP ses sions tutorial
PHP MySQL tutorial
Escape special characters like ‘,”,\
In the simples t case , special characters may simply break your query. In a more extreme cas e, a hacker
might us e SQL injections to gain access to your application. So it is important that we escape these
special characters with a \ (backslash). That is, insert a backslash before each special character.
We can escape s pecial characters (prepend backslash) using mysql_real_escape_string or addslashes
functions. In most cas es PHP will this do automatically for you. But PHP will do so only if themagic_quotes_gpc setting is set to On in the php.ini file. We first check whether this setting is on or not. If
the setting is off, we use mysql_real_escape_string function to escape special characters. If you are
using PHP vers ion less that 4.3.0, you can use the addslashes function instead.
A MySQL connection is required before using mysql_real_escape_string() otherwise an
error of level E_WARNING is generated.
If the magic quotes setting is on, we do not need escape special characters since PHP has already done
it for us. We can check the magic_quotes_gpc by using get_magic_quotes_gpcfunction.
<?php
if(!get_magic_quotes_gpc()) {
$login=mysql_real_escape_string($_POST['login']);
}else {
$login=$_POST['login'];
}
?>
A simple function to escape special characters
You can use the function below to clean and prepare data for queries. The function goes through the
following steps:
1. Trims the s tring to remove leading and trailing spaces2. If you set the second parameter as true, it will also encode all characters which have HTML
character entity equivalents.3. The function then checks for PHP version. If version is greater than or equal to 4.3.0, its us es the
mysql_real_escape_string()function. Otherwise it uses addslashes() function.
1. Since the mysql_real_es cape_string() only works if there is a connec tion to the MySQL server, wefirst check whether we are connected to MySQL server by using the mysql_ping() function.
<?php
function clean($str, $encode_ent = false) {
$str = @trim($str);
if($encode_ent) {
$str = htmlentities($str); }
if(version_compare(phpversion(),'4.3.0') >= 0) {
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
if(@mysql_ping()) {
$str = mysql_real_escape_string($str);
}
PHP MySQL Login Script
Generated using PDF-ace.com
8/6/2019 Php Sense
http://slidepdf.com/reader/full/php-sense 2/5
else {
$str = addslashes($str);
}
}
else {
if(!get_magic_quotes_gpc()) {
$str = addslashes($str);
}
}
return $str;
}
?>
Query the database
Next we formulate the query which will test whether a user with this login and password exists.
Note that we are not storing passwords in the database as plain text. Instead we are storing the md5
hash of the password. Use md5 function to create a 32 character hash of any string. md5 is one way
encryption. That is, once the password is encrypted, there is no way to decrypt it.
So if a md5 hash can not be decrypted, how do we compare the user submitted password with the one in
the database? The answer is that we simply generate a md5 hash of the user submitted password and
then compare this hash to the one stored in the database.
<?php
$qry="SELECT member_id FROM members WHERE login='$login'
AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
?>
The query will return a result set with a single row if the login details are correct and zero rows if the login
details are incorrect. Use mysql_num_rows to find out the number of rows in the result set and hencedetermine whether the login details were correct or not.
Store authentication status in session
Once we know that the login details are correct, we need to store this information somewhere, so that
the subsequent pages know that the user has been authenticated succes sfully. We use PHP ses sion for
this purpose.
Retrieve the member’s ID from the result set and store it in the sess ion as SESS_MEMBER_ID.
Subsequent pages will just need to test for the existence of SESS_MEMBER_ID in the session to verify the
authentication status of the user. After storing the member ID in the session, redirect the user to the
member-index.php page.
<?php
if(mysql_num_rows($result)>0) {
//Login Successful
//Regenerate session ID to
//prevent session fixation attacks
session_regenerate_id();
$member=mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID']=$member['member_id'];
//Write session to disc
session_write_close();
header("location: member-index.php");
exit();
}
?>
If the login fails, redirect the user to login-fa iled.php page.
Preventing session fixation attacks
Once we have ascertained that the user supplied login details are correct, we store his ID in a ses sion
variable named SESS_MEMBER_ID. But we before we do that, we call the session_regenerate_id()
function. This function generates a new session ID while keeping intact any information stored in the
session.
How to authenticate individual pages
As mentioned above, the presence or absence of SESS_MEMBER_ID in the session will tell us whether the
user is logged in or not. If a variable names SESS_MEMBER_ID exists in the session, then the user has
been logged in and authenticated. I have moved this logic to a s eparate PHP script, auth.php
<?php
//Start session
session_start();
//Check whether the session variable
//SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) ||
(trim($_SESSION['SESS_MEMBER_ID'])=='')) {
header("location: access-denied.php");
exit();
}
?>
Now we can just include the auth.php file in any page we want to password protect. See member-
index.php and member-profile.php page for examples.
How to logout the user
To logout the user, s imply unset the SESS_MEMBER_ID variable. See the logout.php sc ript for example.
Generated using PDF-ace.com
8/6/2019 Php Sense
http://slidepdf.com/reader/full/php-sense 3/5
<< PHP MySQL Basics Tutorial Organize project through include files >>
<?php
//Start session
session_start();
//Unset the variable SESS_MEMBER_ID stored in session
unset($_SESSION['SESS_MEMBER_ID']);
?>
PHP login script
Download the Login Script to get the full source code for the above examples.
Here is a brief description of the main files:
login-form.php – The login formlogin-exec.php – This script queries the database to check the login credentialsauth.php – This script checks whether the user is logged in or not. Include this script at the top of any page you want to password protect.member-index.php – Sample password protected pagemember-profile.php – Sample password protected pageregister-form.php – Registration form for c reating new user accounts.
register-exec.php – Performs input validation and create new user account.
Comments
Fred Riley Jul 26, 2007
This is a nice collection of scripts. I’ve been searching for some good authentication code and of all the
scripts I’ve seen that support password encryption and guard against hack attacks, this is the easiest to
understand, the most concise, and the easiest to adapt and deploy. Thanks – very useful, and you’ve
saved me writing a s ystem from sc ratch.
Aaron Sweeney Oct 11, 2007
I have been trying to put a Members Only area on my webs ite to no avail. This s cript is so easy to
understand and implement. Thank you so much for this.
Furura Oct 29, 2007
Thank you very much for this s cript! I’ve been trying to find one that works! And this ac tually works!
Thanks!
Jake Oct 29, 2007
Thanks you for this script ill definitely use this one!
Bright Oct 31, 2007
J! thanks alot for this script – really saved me from all hustle to get me project running! This is definitly a
good work.
B
Adam Scott Dec 01, 2007
That is an amazing code. I have been around to many, many different sites and couldn’t get one that
worked as easy and as well as yours. The only thing that I was trying to do was view the entered
password, but…what would be the point of such a secure script if you are going to make the password
unprotected…very very well done!! !!
ramesh Dec 27, 2007
wonderful script, i like it very much, please provide some more new scripts in php mysql.
thank you very much for the s cript
Adelevie Jan 26, 2008
Generated using PDF-ace.com
8/6/2019 Php Sense
http://slidepdf.com/reader/full/php-sense 4/5
I am a php/mysql nub. How do I make it so member-index.php displays user information, ie, “Welcome,
[firstname]”?
Jatinder Jan 29, 2008
Adelevie, you can store user information like name or email in the session and then retrieve this
information later on in other pages.
Take a look at login-exec.php script, line 33. I am storing the user ’s member_id (primary key) in the
session.
$_SESSION[‘SESS_MEMBER_ID’]=$member[‘member_id’];
You can s tore values from other database columns as well using the same s yntax. To learn more aboutusing sess ions, please read PHP Sessions Tutorial
Casper Feb 03, 2008
Hello, another newbie here.
When I use your register-form, it returns with a “First name miss ing”, “Last name miss ing” and so on.
I removed the check from reg- exec, and without it, it does actually regis ter with empty fields.
Any idea what I might be doing wrong?
Mathew Feb 04, 2008
Would it be possible to also include a, “I forgot my password” script?
Jatinder Feb 05, 2008
Casper,
Thank you for pointing out the bug. You can download the updated s cript from the download link in the
article above.
ztomsk Feb 08, 2008
I almost never feel the urge to pos t comments … but I just had to acknowledge your work. I gotta say I am
impressed with the simplicity and functionality of your scripts. The code is very clean. Nice work for
sure(and i’m sure you can do much more complex coding than this)… you get three claps from me.
Meni Feb 12, 2008
How can I get the script if somebody forgets the password? Can it be send to user via email or simply
reseted?
Will Feb 23, 2008
Awesome s cript. I have one quick question: Is there a simple way I can have three individual private
member areas? For example, if a user is a student they are redirected to private1.php, a teacher, they go
to private2.php and an administrator to private3.php?
I’d like it so nobody can see any page but there own (students cannot see teacher or admin pages).
Thanks s o much!
Will Mar 10, 2008
Can anyone offer a Forgot Password script to work with this login? That would be great.
Paul Mar 28, 2008
Thanks for the brilliant scripts and tutorial. Got this up and running withing 24hrs and thats fr om
someone with no previous php/mysql knowledge.
I am also now trying to work out how I can have c lient spec ific areas after the login. Although I’m thinking
that Will ̂ ^ could add an additional id to his db that he could assign a number that corres ponds with
each tier of pages that can be acc ess ed?
Jatinder Mar 31, 2008
[Will]
I have received a number of requests for “Forgot Password” feature. I will add this feature as soon as I
get some time to update this script.
Thomas Aug 13, 2008
Generated using PDF-ace.com
8/6/2019 Php Sense
http://slidepdf.com/reader/full/php-sense 5/5
Jatinder,
Great sc ript thanks for sharing. Just a question regarding the storing of database ac cess credentials in a
separate php page as apposed to how you have it in your exec pages? Is there any real benefit or
standard here?
Thanks.
Jatinder Aug 14, 2008
[Thomas]
There are absolutely no benefits in storing access details in the exec pages. The only reason I did that
was to keep the script as simple as pos sible because it is targeted at PHP newbies.
In fact I have advocated the use of PHP includes in another of my articles.
But recently I have received a number emails from users asking me how to change the database
connection details. Therefore I have moved the connection details to a separate config.php file.
Good Time Tribe Aug 10, 2009
Thanks for the awesome code. It was easy to adapt for use with my existing singleton database
connection class. I disagree with your opinion on having separate form/code files, I think you’ll do better
to make them all in one, espec ially for the purpose of a tutorial. I may be a new PHP developer, so there
could be a thousand people yelling differently. I do however encourage separate files for classes, and I
wish I had seen more object-oriented application here.
Michael Norris Sep 27, 2009
Hi there, is it possible to log the user out when a tab/ window is closed?
Thanks
Jatinder Sep 30, 2009
@Michael Norris
The login sc ript is using temporary cookies. That is, the sess ion should expire as s oon as you clos e the
browser.
However, if the ses sion persis ts for you even after restarting the browser, please check your
“ses sion.cookie_lifetime” setting.
MrFrans Oct 07, 2009
I noticed something odd. You sanitize all user supplied values, but in the sql query you don’t use the
sanitized version $password, but you use $_Post[’$password’]
Jatinder Oct 08, 2009
@MrFrans
We will be converting $_POST[’$password’] into a md5 hash. Therefore we don’t need to sanitize it.
Post your comment
All comments are manually verified. So don't waste your time posting spam.
Name Remember
http://
Message
Preview Submit
Textile Help
© 2009 PHPSense.com - PHP MySQL Login Script
Generated using PDF-ace.com
