Part 4: Create your own Login System using PHP and MySql

Nov 28, 2022   //   by h05t5cr1pt3r   //   Blog  //  No Comments

4. Authenticating Users with PHP

Now that we have our database setup, we can go ahead and start coding with PHP. We’re going to start with the authentication file, which will process and validate the form data that we’ll send from our index.html file.

Edit the authenticate.php file and add the following:

<?php
session_start();
// Change this to your connection info.
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'phplogin';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
	// If there is an error with the connection, stop the script and display the error.
	exit('Failed to connect to MySQL: ' . mysqli_connect_error());
}

Initially, the code will start the session as this enables us to preserve account details on the server and will be used later on to remember logged-in users.

Connecting to the database is essential. Without it, how can we retrieve and store information related to our users? Therefore, we must make sure to update the variables to reflect our MySQL database credentials.

Add below:

// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
	// Could not get the data that should have been sent.
	exit('Please fill both the username and password fields!');
}

The above code will make sure the form data exists, whereas if the user tries to access the file without submitting the form, it will output a simple error.

Add below:

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $con->prepare('SELECT id, password FROM accounts WHERE username = ?')) {
	// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
	$stmt->bind_param('s', $_POST['username']);
	$stmt->execute();
	// Store the result so we can check if the account exists in the database.
	$stmt->store_result();


	$stmt->close();
}
?>

The above code will prepare the SQL statement that will select the id and password columns from the accounts table. In addition, it will bind the username to the SQL statement, execute, and then store the result.

After the following line:

$stmt->store_result();

Add:

if ($stmt->num_rows > 0) {
	$stmt->bind_result($id, $password);
	$stmt->fetch();
	// Account exists, now we verify the password.
	// Note: remember to use password_hash in your registration file to store the hashed passwords.
	if (password_verify($_POST['password'], $password)) {
		// Verification success! User has logged-in!
		// Create sessions, so we know the user is logged in, they basically act like cookies but remember the data on the server.
		session_regenerate_id();
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['name'] = $_POST['username'];
		$_SESSION['id'] = $id;
		echo 'Welcome ' . $_SESSION['name'] . '!';
	} else {
		// Incorrect password
		echo 'Incorrect username and/or password!';
	}
} else {
	// Incorrect username
	echo 'Incorrect username and/or password!';
}

First, we need to check if the query has returned any results. If the username doesn’t exist in the database then there would be no results.

If the username exists, we can bind the results to both the $id and $password variables.

Subsequently, we proceed to verify the password with the password_verify function. Only passwords that were created with the password_hash function will work.

If you don’t want to use any password encryption method, you can simply replace the following code:

if (password_verify($_POST['password'], $password)) {

With:

if ($_POST['password'] === $password) {

However, I don’t recommend removing the hashing functions because if somehow your database becomes exposed, all the passwords stored in the accounts table will also be exposed. In addition, the user will have a sense of privacy knowing their password is encrypted.

Upon successful authentication from the user, session variables will be initialized and preserved until they’re destroyed by either logging out or the session expiring. These session variables are stored on the server and are associated with a session ID stored in the user’s browser. We’ll use these variables to determine whether the user is logged in or not and to associate the session variables with our retrieved MySQL database results.

Did you know?The session_regenerate_id() function will help prevent session hijacking as it regenerates the user’s session ID that is stored on the server and as a cookie in the browser.

The user cannot change the session variables in their browser and therefore you don’t need to be concerned about such matter. The only variable they can change is the encrypted session ID, which is used to associate the user with the server sessions.

Now we can test the login system and make sure the authentication works correctly. Navigate to http://localhost/phplogin/index.html in your browser.

Type in a random username and password, and click the login button. It should output an error that should look like the following:

http://localhost/phplogin/authenticate.php

Authentication Incorrect Username PHP

Don’t worry, it’s not broken! If we navigate back to our login form and enter test for both the username and password fields, the authentication page will look like the following:

http://localhost/phplogin/authenticate.php

Authentication Loggedin PHP

If you receive an error, make sure to double-check your code to make sure you haven’t missed anything or check if the test account exists in your database.

Leave a comment

%d bloggers like this: