Login System with PHP and MySQL

Saturday, June 9, 2007

This example will show you how to make a password protected page using PHP and MySQL. It's a very simple example. We'll be using session() in PHP. You'll need a login form for user to input their username and password, a PHP script to check the username and password inputted by the user, and a table contains the value of valid username and password, you can input valid username and password to this table using phpmyadmin or make a separate script for that. Here's the flow, first, user input their username and password from a login form. Then, a php script do a crosscheck to the database looking for that username and password, if found, the script then start a session to save that username and password as key variables. If not found, the user is redirected back to the login form page. After a session is created, we can just simply put a line contains session checking in every page that we need to protect. The codes below will explain it better. First, a table contains valid username and password. A simple query like this will do:

CREATE TABLE users (user_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, username VARCHAR(20), password VARCHAR(50))
and insert a dummy user password for testing
INSERT INTO users (username, password) VALUES ("admin", password("mypassword"));
And now, creating the login form, let's just name it login.php
<form action="login_handler.php" method="post"> Username:<input name="username" maxlength="40" type="text"> Password:<input name="pass" maxlength="50" type="password"> <input name="submit" value="Login" type="submit"> </form>
And the handler to check if the username an password inputted is valid or not, name it login_handler.php
<?php session_start(); if(isset($username)&&isset($password)){ //enter your database configuration here $host=""; $dbuser=""; $dbpassword=""; $dbname=""; $dbh=mysql_connect($host, $dbuser, $dbpassword) or die(mysql_error()); mysql_select_db($dbname, $dbh) ; //end of database configuration $query="select * from users where username='$username' and password=PASSWORD('$password') "; $res=mysql_query($query, $dbh); if(!mysql_num_rows($res)){ echo "Access denied !"; exit; }//close if mysql_num_rows else{ $authLogData["login"]=$username; $authLogData["password"]=$password; session_register("authLogData"); @mysql_close(); header("location: member.php"); exit; //just in case ^_^ }//close else }//close if sbLog ?>
The member.php in the end is the page that needs authorization. The file would look like this
<?php session_start(); if(!session_is_registered("authLogData")||$authLogData["login"]==""){ header("location: login.php"); } //member content goes here //...... ?>
The conditional element (that is if(){....})simply redirect user to login form if there's no session created. That way, user can't access this file directly and have to login first. For every page that needs authorization you'll just have to add that conditional element ( if(){....} ). And voila, you're done. And I forgot to mention back then, you'll need a logout script too!. This is the codes:
<?php session_start(); session_unregister('authLogData'); session_destroy(); mysql_close(); header("Location: login.php"); ?>
As before, I haven't tested this scripts so I would appreciate if anyone has tested it. Any feedback would be very very appreciated.

0 comments: