Phplogin

Tutorials - Creating a PHP Login Script -
Page 1 of 12
http://www.free2code.net
Creating a PHP Login Script

Author: Jester (back to original version)
Notes
There are a few things you should know before you attempt to use this script. The next release of PHP will have register_globals set to Off by default. You're encouraged to write your scripts with this in mind, in this article we won't be using normal variables, we will be using $_POST, $_GET... etc. These were introduced in PHP 4.1.0,. We will also be using sessions with PHP, if you don't understand sessions, or don't know what they are it would be a good idea to read the page so you can understand the coding, and edit it to your needs. I will be using the PEAR::DB classes to access the database, so you can easily make the scripts work with whatever database you are using. If you are unfamiliar with PEAR::DB read this great article: Abstract PHP's database code with PEAR::DB. With this in mind, I recommend using a .htaccess file (if you use apache) to set some PHP values, use the following, if relevant.
php_value php_value php_value php_value register_globals Off track_vars On arg_separator.output "&" arg_separator.input "&"
Planning
We want a system that will allow a user to 'login', preserve that user's login data across multiple requests, allow them access to certain areas only when they are logged in, and allow them to be able to logout. So let's think logically, what do we need? User database, containing their password, username, and some personal information to create a community feel. Allow them to 'sign up' if they aren't a member. A method of checking whether or not the user is 'logged in.' Allow them to 'log in' if they're not. Allow them to 'log out' when they are done. Now we need to turn that logic into code, so let us continue....
User database
We need a place to store user information. We need to be able to extract this data to authenticate them and insert new data for new members. This article will use an SQL database for this. We need to design the user database, but first of all we need to connect to the database.
Connecting
http://www.free2code.net/tutorials/programming/php/4/phplogin.php?page=1&print=1
11.9.2004
Page 2 of 12
We are using the PEAR::DB classes for more portable database coding, rather than using databasespecific functions.
db_connect.php
<?php //require the PEAR::DB classes. require_once 'DB.php';
$db_engine $db_user = $db_pass = $db_host = $db_name =
= 'mysql'; 'username'; 'password'; 'localhost'; 'database';
$datasource = $db_engine.'://'. $db_user.':'. $db_pass.'@'. $db_host.'/'. $db_name;
$db_object = DB::connect($datasource, TRUE); /* assign database object in $db_object, if the connection fails $db_object will contain the error message. */ // If $db_object contains an error: // error and exit. if(DB::isError($db_object)) { die($db_object->getMessage()); } $db_object->setFetchMode(DB_FETCHMODE_ASSOC); // we write this later on, ignore for now. include('check_login.php'); ?>
There we have it, that script will create a connection object which we can use in other scripts to do stuff with the database. This script should be put outside your document tree, or in a protected directory to prevent people accessing it directly. There are various things you need to customise. $db_engine - Your database engine, a list of possible values is below. $db_user - Your username to access the database. $db_pass - Your password. $db_host - The host of the database server.
11.9.2004
Page 3 of 12
$db_name - The name of the database to connect to. A list of possible database engine values are: mysql -> MySQL pgsql -> PostgreSQL ibase -> InterBase msql -> Mini SQL mssql -> Microsoft SQL Server oci8 -> Oracle 7/8/8i odbc -> ODBC (Open Database Connectivity sybase -> SyBase ifx -> Informix fbsql -> FrontBase So now we have our connection to the database, save this file as db_connect.php. Next we need to design the database, I am providing a script that will create this table for you.
Our Table (table.php)

<?php require 'db_connect.php'; // require above script // change the path to match wherever you put it.
$table = "CREATE TABLE users ( id int(10) DEFAULT '0' NOT NULL auto_increment, username varchar(40), password varchar(50), regdate varchar(20), email varchar(100), website varchar(150), location varchar(150), show_email int(2) DEFAULT '0', last_login varchar(20), PRIMARY KEY(id))"; $create = $db_object->query($table); //perform query
if(DB::isError($create)) { die($create->getMessage()); } else { echo 'Table created successfully.'; } $db_object->disconnect(); ?>
That script will create a table in the database you specified, once you have executed this script you can take it out of your document tree so others cannot run it. We will use this table to store user information,
11.9.2004
Page 4 of 12
retrieve it and check it. Now we need to allow users to become members.
Allow Them To "Sign Up"

A user database is no good unless we have users in it, so we need to allow users to add themselves, we use a simple form to allow them to pick a username, password, enter their e-mail address and any other information they choose, and then insert this data into the database.
Register.php
<?php require('db_connect.php'); ?> // database connect script.
<html> <head> <title>Register an Account</title> </head> <body> <?php if (isset($_POST['submit'])) { // if form has been submitted /* check they filled in what they supposed to, passwords matched, username isn't already taken, etc. */ if (!$_POST['uname'] | !$_POST['passwd'] | !$_POST['passwd_again'] | !$_POST die('You did not fill in a required field.'); } // check if username exists in database. if (!get_magic_quotes_gpc()) { $_POST['uname'] = addslashes($_POST['uname']); }
$name_check = $db_object->query("SELECT username FROM users WHERE username = if (DB::isError($name_check)) { die($name_check->getMessage()); } $name_checkk = $name_check->numRows(); if ($name_checkk != 0) { die('Sorry, the username: <strong>'.$_POST['uname'].'</strong> is al } // check passwords match if ($_POST['passwd'] != $_POST['passwd_again']) { die('Passwords did not match.'); } // check e-mail format
11.9.2004
Page 5 of 12
if (!preg_match("/.*@.*..*/", $_POST['email']) | preg_match("/(<|>)/", $_POS die('Invalid e-mail address.'); } // no HTML tags in username, website, location, password $_POST['uname'] = strip_tags($_POST['uname']); $_POST['passwd'] = strip_tags($_POST['passwd']); $_POST['website'] = strip_tags($_POST['website']); $_POST['location'] = strip_tags($_POST['location']);
// check show_email data if ($_POST['show_email'] != 0 & $_POST['show_email'] != 1) { die('Nope'); } /* the rest of the information is optional, the only thing we need to check is if they submitted a website, and if so, check the format is ok. */ if ($_POST['website'] != '' & !preg_match("/^(http|ftp):\/\//", $_POST['webs $_POST['website'] = 'http://'.$_POST['website']; } // now we can add them to the database. // encrypt password $_POST['passwd'] = md5($_POST['passwd']); if (!get_magic_quotes_gpc()) { $_POST['passwd'] = addslashes($_POST['passwd']); $_POST['email'] = addslashes($_POST['email']); $_POST['website'] = addslashes($_POST['website']); $_POST['location'] = addslashes($_POST['location']); }
$regdate = date('m d, Y'); $insert = "INSERT INTO users ( username, password, regdate, email, website, location, show_email, last_login) VALUES ( '".$_POST['uname']."', '".$_POST['passwd']."', '$regdate', '".$_POST['email']."', '".$_POST['website']."', '".$_POST['location']."',
11.9.2004
Page 6 of 12
'".$_POST['show_email']."', 'Never')"; $add_member = $db_object->query($insert); if (DB::isError($add_member)) { die($add_member->getMessage()); } $db_object->disconnect(); ?>
<h1>Registered</h1> <p>Thank you, your information has been added to the database, you may now <a href=" <?php } else { // if form hasn't been submitted
?> <h1>Register</h1> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table align="center" border="1" cellspacing="0" cellpadding="3"> <tr><td>Username*:</td><td> <input type="text" name="uname" maxlength="40"> </td></tr> <tr><td>Password*:</td><td> <input type="password" name="passwd" maxlength="50"> </td></tr> <tr><td>Confirm Password*:</td><td> <input type="password" name="passwd_again" maxlength="50"> </td></tr> <tr><td>E-Mail*:</td><td> <input type="text" name="email" maxlength="100"> </td></tr> <tr><td>Website:</td><td> <input type="text" name="website" maxlength="150"> </td></tr> <tr><td>Location</td><td> <input type="text" name="location" maxlength="150"> </td></tr> <tr><td>Show E-Mail?</td><td> <select name="show_email"> <option value="1" selected="selected">Yes</option> <option value="0">No</option></select> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Sign Up"> </td></tr> </table> </form> <?php } ?> </body>
11.9.2004
Page 7 of 12
</html>
The above script allows the user to register an account, inserting their data into the database, we must perform various checks before we allow this. Checking if the username has been taken, if their passwords matched, and a few security checks. We also encrypt the password in the database for extra security. If all checks are okay we insert the data. Now the user is in the database, we still have to allow them to login, but first we need to write the script that will check if they are logged in or not.
Check if they are "logged in"

This script will assign a variable, $logged_in to either 1 (if they are logged in), or 0 if they aren't. We can then use this variable in our scripts. A few points: We are going to use $_SESSION['username'] for our user's username and $_SESSION ['password'] for their password. $_SESSION['password'] will be encrypted. We need to start our session somewhere, here is a good place.
check_login.php
<?php /* check login script, included in db_connect.php. */ session_start(); if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) { $logged_in = 0; return; } else { // remember, $_SESSION['password'] will be encrypted. if(!get_magic_quotes_gpc()) { $_SESSION['username'] = addslashes($_SESSION['username']); }
// addslashes to session username before using in a query. $pass = $db_object->query("SELECT password FROM users WHERE username = '".$_ if(DB::isError($pass) || $pass->numRows() != 1) { $logged_in = 0; unset($_SESSION['username']); unset($_SESSION['password']); // kill incorrect session variables. } $db_pass = $pass->fetchRow(); // now we have encrypted pass from DB in //$db_pass['password'], stripslashes() just incase: $db_pass['password'] = stripslashes($db_pass['password']); $_SESSION['password'] = stripslashes($_SESSION['password']);
11.9.2004
Page 8 of 12
//compare:
if($_SESSION['password'] == $db_pass['password']) { // valid password for username $logged_in = 1; // they have correct info // in session variables. } else { $logged_in = 0; unset($_SESSION['username']); unset($_SESSION['password']); // kill incorrect session variables. } }
// clean up unset($db_pass['password']); $_SESSION['username'] = stripslashes($_SESSION['username']); ?>
What we did here was: If session variables aren't set, they're not logged in. If they are set, fetch the password row from the database where the username is equal to the session variable username. If password cannot be fetched, the username mustn't exist, kill bad session variables. If the password is fetched, username is correct, compare the encrypted password from the database to the session variable password, if it matches log them in, if not the password is incorrect. Don't set them as logged in and kill bad session variables. So now we have our database connection, users can register accounts, we are capable of checking whether they are logged in or not. We can use $logged_in in our scripts now. All that is left is to allow users to log in and log out.
Allow them to 'log in'

Now we need to create the script that will allow the user to submit their username and password, check if they are correct and, if so, register them as session variables. Once we register the session variables the user will be deemed as "logged in", $logged_in will be true until they 'log out.'
login.php
<?php // database connect script. require 'db_connect.php'; if($logged_in == 1) { die('You are already logged in, '.$_SESSION['username'].'.');
11.9.2004
Page 9 of 12
?> <html> <head> <title>Login</title> </head> <body> <?php if (isset($_POST['submit'])) { // if form has been submitted
/* check they filled in what they were supposed to and authenticate */ if(!$_POST['uname'] | !$_POST['passwd']) { die('You did not fill in a required field.'); } // authenticate. if (!get_magic_quotes_gpc()) { $_POST['uname'] = addslashes($_POST['uname']); } $check = $db_object->query("SELECT username, password FROM users WHERE usern if (DB::isError($check) || $check->numRows() == 0) { die('That username does not exist in our database.'); } $info = $check->fetchRow(); // check passwords match $_POST['passwd'] = stripslashes($_POST['passwd']); $info['password'] = stripslashes($info['password']); $_POST['passwd'] = md5($_POST['passwd']); if ($_POST['passwd'] != $info['password']) { die('Incorrect password, please try again.'); } // if we get here username and password are correct, //register session variables and set last login time. $date = date('m d, Y'); $update_login = $db_object->query("UPDATE users SET last_login = '$date' WHE $_POST['uname'] = stripslashes($_POST['uname']); $_SESSION['username'] = $_POST['uname']; $_SESSION['password'] = $_POST['passwd']; $db_object->disconnect(); ?> <h1>Logged in</h1> <p>Welcome back <?php echo $_SESSION['username']; ?>, you are logged in.</p>
11.9.2004
Page 10 of 12
<?php } else { // if form hasn't been submitted
?> <h1>Login</h1> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table align="center" border="1" cellspacing="0" cellpadding="3"> <tr><td>Username:</td><td> <input type="text" name="uname" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="passwd" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> </body> </html>
Now we have our 'log in' script. When the user loads this page they are presented with a form that allows them to submit their username and password. We then check if thatsuers is in the database, if it is we take the password associated with that username and compare it with the user's submitted password, if they match the user submitted the correct information. We can register the username and password (encrypted) as session variables. Now these session variables will be subject to inspection by the check_login.php script, authenticating the user each time a page is loaded, allowing us to use our $logged_in variable to check for a correct log in. When the user has done, it's a good idea to allow them to "log out".
Allow them to 'log out'
To log a user out we simply destroy their session variables and their session.
logout.php
<?php require 'db_connect.php'; // database connect script.
if ($logged_in == 0) { die('You are not logged in so you cannot log out.'); }
unset($_SESSION['username']); unset($_SESSION['password']); // kill session variables $_SESSION = array(); // reset session array session_destroy(); // destroy session. header('Location: index.php'); // redirect them to anywhere you like. ?>
11.9.2004
Page 11 of 12
That script is very simple, once the session variables are unset the check_login.php script will set $logged_in to zero, so they will not be classed as "logged in".
Usage
Now we have the base of a login system, so let's look at a practical usage of these scripts. A page would look like so:
example.php
<?php require 'db_connect.php'; // require our database connection // which also contains the check_login.php // script. We have $logged_in for use. if ($logged_in == 0) { die('Sorry you are not logged in, this area is restricted to registered memb }
// show content $db_object->disconnect(); // when you are done. ?>
This makes it very easy to restrict access to a document, only a person whose information has been authenticated by check_login.php will be able to view the page, the others will be offered a link to 'log in.'
More...
There are various ways we can jazz up this little member system, such as a user online script, a member list, member profiles, instant message system... the list goes on and on. This is the bear minumum, it's up to you to edit it to your needs, if you need any help use the comments system below and someone will answer. We can use $_SESSION['username'] to interact with the database row associated with the current logged in user, $logged_in to check for a positive login, we can do just about anything now. We could do this:
example2.php
<?php require 'db_connect.php'; if ($logged_in == 1) { echo 'Logged in as '.$_SESSION['username'].', <a href="logout.php">logout</a } else { echo 'Not logged in. <a href="login.php">Login</a>';
11.9.2004
Page 12 of 12
} ?>
Showing the user what name they are logged in as and offering a link to logout, while they are logged in, or telling them they aren't logged in and offering them a link to do so, if they're not logged in. The list really is endless, I cannot really include more, this article is long enough, if you would like to see a how-to on a few things you can do with this, leave a comment below, if there is enough interest I will find the time to write it.
Conclusion
Remember this script isn't ready-to-go, you will need to do some editing. The layout of each page leaves a lot to be desired, jazz them up, you can add more to the user table, create different user levels so members have different access rights depending on their rank -- be creative. Just rememeber to include the db_connect.php script in any document that is part of the member system. Here are a few links that may help you get to grips with the features discussed in this article. PHP Sessions Learn how to implement sessions Using PEAR::DB Database Security These scripts have been tested and worked fine for me, if you have any problems feel free to comment, certain databases may require the system to be edited slightly. This article is somewhat discursive, if anyone is confused by my rambling feel free to drop me an e-mail and I'll be happy to elaborate on the areas in which you are having difficulties.
11.9.2004

Phplogin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Phplogin

Uploaded by

Copyright:

Available Formats

Tutorials - Creating a PHP Login Script -

Creating a PHP Login Script

Tutorials - Creating a PHP Login Script -

$db_engine $db_user = $db_pass = $db_host = $db_name =

= 'mysql'; 'username'; 'password'; 'localhost'; 'database';

$datasource = $db_engine.'://'. $db_user.':'. $db_pass.'@'. $db_host.'/'. $db_name;

Tutorials - Creating a PHP Login Script -

Our Table (table.php)

if(DB::isError($create)) { die($create->getMessage()); } else { echo 'Table created successfully.'; } $db_object->disconnect(); ?>

Tutorials - Creating a PHP Login Script -

Allow Them To "Sign Up"

Tutorials - Creating a PHP Login Script -

Tutorials - Creating a PHP Login Script -

'".$_POST['show_email']."', 'Never')"; $add_member = $db_object->query($insert); if (DB::isError($add_member)) { die($add_member->getMessage()); } $db_object->disconnect(); ?>

Tutorials - Creating a PHP Login Script -

Check if they are "logged in"

Tutorials - Creating a PHP Login Script -

// clean up unset($db_pass['password']); $_SESSION['username'] = stripslashes($_SESSION['username']); ?>

Allow them to 'log in'

Tutorials - Creating a PHP Login Script -

Tutorials - Creating a PHP Login Script -

<?php } else { // if form hasn't been submitted

if ($logged_in == 0) { die('You are not logged in so you cannot log out.'); }

Tutorials - Creating a PHP Login Script -

// show content $db_object->disconnect(); // when you are done. ?>

Tutorials - Creating a PHP Login Script -

You might also like