PHP User Authentication (simple login script)

This php script runs in a localhost host (in your own machine). I have used dreamweaver to create this script.

Below is the code for the above form.

Note: We must set the names of the fields for both the username and the password including the submit button. For this example, I have used the username and password for the text fields and login for the submit button.

Having this form, we can now create the php login script.

1. 
2. if(isset($_POST['login'])){
3. $link=mysql_connect("localhost","root") or die("Cannot Connect!");
4. mysql_select_db("users",$link);
5. $sql="select * from user where username='".$_POST['username']."' and password='".$_POST['password']."'";
6. $result=mysql_query($sql);
7. if(mysql_num_rows($result)==1){
8. session_start();
9. $_SESSION['username']=$_POST['username'];
10. $_SESSION['log']=true;
11. header('location: mypage.php');
12. }
13. else{
14. echo "Invalid Username or Password! Try Again.";
15. }
16. }
17. ?>

On line 1,

• Start/beginning tag of the php script.
  

On line 2,

• Checks if user clicks on the login button.

On line 3, when the user have clicked the login button

• it will going to create a connection to the database server which is MySQL that is running in the PhpMyAdmin interface. mysql_connect("server","user","password"). In this example, since we are running the script in a localhost, we will use localhost as the server and root for the user (note: localhost and root is the default value of PhpMyAdmin).
  
• If the connection attempt was successful, it will continue the script, otherwise it will return the die("") function and display what ever string you are going to set inside the function.

On line 4,

• If the connection attempt was successful, it will going to select the database using the mysql_select_db("dbName",connection) function. For this example, we use the database "users" and "$link" as the connection to MySQL.

On line 5 and 6,

• After selecting the specific database to use, we are now ready to make a MySQL query. On line 5, we have set $sql as a variable for our query string and on line 6 we are doing the actual MySQL query.
  
• (Note: In the query, you have noticed I have highlighted (red) the names of password and username. These are the names given to the textfields in our form in order to have a correct referencing once we run the MySQL Query)

On line 7 to 12,

• We do the checking, once a record is found based on our query, it will going to start the session by using the session_start() function. After calling this function, we are now going to use the $_Session['some_parameter'] variable to set for that certain user who logged in. In this example, we have used 'username' and 'log' to name our session variable. (Note: DO NOT be confused in the username of the session variable and the username in the textfield. In the session variable, any name can be defined.) Now, we have initialized the $_Session['username'] variable with the name of the user which is the $_POST['username']. Also we have initialized a boolean $_Session['log'] variable to true which will be discussed in the next topic. And finally, on line 10, after initializing all the $_Session variables, we will redirect the user to a certain page, in this case mypage.php.

On line 13 to 15,

• If the MySQL query did not match any condition in the database, it will display an error.

On line 17,

• It indicates the closing tag for php script.

Below is the complete login page (php login script).

1. 
2. if(isset($_POST['login'])){
3. $link=mysql_connect("localhost","root") or die("Cannot Connect!");
4. mysql_select_db("users",$link);
5. $sql="select * from user where username='".$_POST['username']."' and password='".$_POST['password']."'";
6. $result=mysql_query($sql);
7. if(mysql_num_rows($result)==1){
8. session_start();
9. $_SESSION['username']=$_POST['username'];
10. $_SESSION['log']=true;
11. header('location: mypage.php');
12. }
13. else{
14. echo "Invalid Username or Password! Try Again.";
15. }
16. }
17. ?>

------------ After a successful login, it will redirect to mypage.php ------------------

1. 
2. session_start();
   
3. if($_SESSION['log']==true){
4. echo " WELCOME ".$_SESSION['username']."! YOU HAVE LOGGED IN...";
5. echo "Dont forget to Logout afterwards.";
6. }
7. else{
8. header('location:login.php');
9. }
10. ?>
    

On line 1,2 and 10,

• Same explanation above. :-)

On line 3,

• It will going to check if the $_Session['log'] variable is true. This is essential for the reason that it does not allow user to directly access mypage.php webpage without logging in.
  

On line 4, 5,

• If the $_Session['log'] variable is true, It will going to display the welcome note with the name of the user who logged in. And in line 5, it gives the user the access to logout from the website.

On line 7, 9,

• If the user will going to access the mypage.php page directly without logging in, and the php script will going to check if the $_Session['log'] variable is true, it will disregard these lines, however, if $_Session['log'] variable is false, it will going to redirect in the login page.
  

------------------------------------------------------------------------------------------------------------


------------------------------------ This is for the logout script --------------------------------------

1. 
   
2. session_start();
3. session_destroy();
4. header('location:login.php');
5. ?>

If the user will going to click the logout link located in the mypage.php, it will going to run this script. On line 2, session_start() must always be in your php scripts in order to effectively use the session variables ($_Session[], session_destroy()). Now the session_destroy by its name, it will going to destroy all initialized sessions, in this case the $_SESSION['username'] and $_SESSION['log'] and on line 4, it will going to bring the user to the login.php page.

------------------------------------------------------------------------------------------------------------

There you have it, the simple login/logout php scripts.

IMPORTANT: The above scripts that does not stop hackers from using php injection. To make an advance user authentication scripts, follow this LINK. The script is basically the same, but in order to avoid hackers from using php injection and mess up with your website, you have to use encryption and mysql_real_escape_string.

Goodluck and enjoy web programming... :) Open for your comments.. thanks!