{"id":1335,"date":"2022-11-28T08:31:36","date_gmt":"2022-11-28T00:31:36","guid":{"rendered":"https:\/\/hostscripter.com\/?p=1335"},"modified":"2022-11-28T08:31:36","modified_gmt":"2022-11-28T00:31:36","slug":"part-4-create-your-own-login-system-using-php-and-mysql","status":"publish","type":"post","link":"https:\/\/hostscripter.com\/?p=1335","title":{"rendered":"Part 4: Create your own Login System using PHP and MySql"},"content":{"rendered":"

4. Authenticating Users with PHP<\/h2>\n

Now that we have our database setup, we can go ahead and start coding with PHP. We’re going to start with the authentication file, which will process and validate the form data that we’ll send from our\u00a0index.html<\/i>\u00a0file.<\/p>\n

Edit the\u00a0authenticate.php<\/i>\u00a0file and add the following:<\/p>\n

<\/div>\n
<?php<\/span>\r\nsession_start<\/span>(<\/span>)<\/span>;<\/span>\r\n\/\/ Change this to your connection info.<\/span>\r\n$DATABASE_HOST<\/span> =<\/span> 'localhost'<\/span>;<\/span>\r\n$DATABASE_USER<\/span> =<\/span> 'root'<\/span>;<\/span>\r\n$DATABASE_PASS<\/span> =<\/span> ''<\/span>;<\/span>\r\n$DATABASE_NAME<\/span> =<\/span> 'phplogin'<\/span>;<\/span>\r\n\/\/ Try and connect using the info above.<\/span>\r\n$con<\/span> =<\/span> mysqli_connect<\/span>(<\/span>$DATABASE_HOST<\/span>,<\/span> $DATABASE_USER<\/span>,<\/span> $DATABASE_PASS<\/span>,<\/span> $DATABASE_NAME<\/span>)<\/span>;<\/span>\r\nif<\/span> (<\/span> mysqli_connect_errno<\/span>(<\/span>)<\/span> )<\/span> {<\/span>\r\n\t\/\/ If there is an error with the connection, stop the script and display the error.<\/span>\r\n\texit<\/span>(<\/span>'Failed to connect to MySQL: '<\/span> .<\/span> mysqli_connect_error<\/span>(<\/span>)<\/span>)<\/span>;<\/span>\r\n}<\/span><\/span><\/code><\/pre>\n
Initially, the code will start the session as this enables us to preserve account details on the server and will be used later on to remember logged-in users.<\/p>\n
Connecting to the database is essential. Without it, how can we retrieve and store information related to our users? Therefore, we must make sure to update the variables to reflect our MySQL database credentials.<\/p>\n
Add below:<\/p>\n
<\/div>\n
\/\/ Now we check if the data from the login form was submitted, isset() will check if the data exists.<\/span>\r\nif<\/span> (<\/span> !<\/span>isset<\/span>(<\/span>$_POST<\/span>[<\/span>'username'<\/span>]<\/span>,<\/span> $_POST<\/span>[<\/span>'password'<\/span>]<\/span>)<\/span> )<\/span> {<\/span>\r\n\t\/\/ Could not get the data that should have been sent.<\/span>\r\n\texit<\/span>(<\/span>'Please fill both the username and password fields!'<\/span>)<\/span>;<\/span>\r\n}<\/span><\/code><\/pre>\n
The above code will make sure the form data exists, whereas if the user tries to access the file without submitting the form, it will output a simple error.<\/p>\n
Add below:<\/p>\n
<\/div>\n
\/\/ Prepare our SQL, preparing the SQL statement will prevent SQL injection.<\/span>\r\nif<\/span> (<\/span>$stmt<\/span> =<\/span> $con<\/span>-<\/span>><\/span>prepare<\/span>(<\/span>'SELECT id, password FROM accounts WHERE username = ?'<\/span>)<\/span>)<\/span> {<\/span>\r\n\t\/\/ Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use \"s\"<\/span>\r\n\t$stmt<\/span>-<\/span>><\/span>bind_param<\/span>(<\/span>'s'<\/span>,<\/span> $_POST<\/span>[<\/span>'username'<\/span>]<\/span>)<\/span>;<\/span>\r\n\t$stmt<\/span>-<\/span>><\/span>execute<\/span>(<\/span>)<\/span>;<\/span>\r\n\t\/\/ Store the result so we can check if the account exists in the database.<\/span>\r\n\t$stmt<\/span>-<\/span>><\/span>store_result<\/span>(<\/span>)<\/span>;<\/span>\r\n\r\n\r\n\t$stmt<\/span>-<\/span>><\/span>close<\/span>(<\/span>)<\/span>;<\/span>\r\n}<\/span>\r\n?><\/span><\/code><\/pre>\n
The above code will prepare the SQL statement that will select the\u00a0id<\/i>\u00a0and\u00a0password<\/i>\u00a0columns from the accounts table. In addition, it will bind the\u00a0username<\/i>\u00a0to the SQL statement, execute, and then store the result.<\/p>\n
After the following line:<\/p>\n
$stmt<\/span>-<\/span>><\/span>store_result<\/span>(<\/span>)<\/span>;<\/span><\/code><\/pre>\n
Add:<\/p>\n
<\/div>\n
if<\/span> (<\/span>$stmt<\/span>-<\/span>><\/span>num_rows<\/span> ><\/span> 0<\/span>)<\/span> {<\/span>\r\n\t$stmt<\/span>-<\/span>><\/span>bind_result<\/span>(<\/span>$id<\/span>,<\/span> $password<\/span>)<\/span>;<\/span>\r\n\t$stmt<\/span>-<\/span>><\/span>fetch<\/span>(<\/span>)<\/span>;<\/span>\r\n\t\/\/ Account exists, now we verify the password.<\/span>\r\n\t\/\/ Note: remember to use password_hash in your registration file to store the hashed passwords.<\/span>\r\n\tif<\/span> (<\/span>password_verify<\/span>(<\/span>$_POST<\/span>[<\/span>'password'<\/span>]<\/span>,<\/span> $password<\/span>)<\/span>)<\/span> {<\/span>\r\n\t\t\/\/ Verification success! User has logged-in!<\/span>\r\n\t\t\/\/ Create sessions, so we know the user is logged in, they basically act like cookies but remember the data on the server.<\/span>\r\n\t\tsession_regenerate_id<\/span>(<\/span>)<\/span>;<\/span>\r\n\t\t$_SESSION<\/span>[<\/span>'loggedin'<\/span>]<\/span> =<\/span> TRUE<\/span>;<\/span>\r\n\t\t$_SESSION<\/span>[<\/span>'name'<\/span>]<\/span> =<\/span> $_POST<\/span>[<\/span>'username'<\/span>]<\/span>;<\/span>\r\n\t\t$_SESSION<\/span>[<\/span>'id'<\/span>]<\/span> =<\/span> $id<\/span>;<\/span>\r\n\t\techo<\/span> 'Welcome '<\/span> .<\/span> $_SESSION<\/span>[<\/span>'name'<\/span>]<\/span> .<\/span> '!'<\/span>;<\/span>\r\n\t}<\/span> else<\/span> {<\/span>\r\n\t\t\/\/ Incorrect password<\/span>\r\n\t\techo<\/span> 'Incorrect username and\/or password!'<\/span>;<\/span>\r\n\t}<\/span>\r\n}<\/span> else<\/span> {<\/span>\r\n\t\/\/ Incorrect username<\/span>\r\n\techo<\/span> 'Incorrect username and\/or password!'<\/span>;<\/span>\r\n}<\/span><\/code><\/pre>\n
First, we need to check if the query has returned any results. If the\u00a0username<\/i>\u00a0doesn’t exist in the database then there would be no results.<\/p>\n
If the username exists, we can bind the results to both the\u00a0$id<\/i>\u00a0and\u00a0$password<\/i>\u00a0variables.<\/p>\n
Subsequently, we proceed to verify the password with the\u00a0password_verify<\/a><\/i>\u00a0function. Only passwords that were created with the\u00a0password_hash<\/a><\/i>\u00a0function will work.<\/p>\n
If you don’t want to use any password encryption method, you can simply replace the following code:<\/p>\n
<\/div>\n
if<\/span> (<\/span>password_verify<\/span>(<\/span>$_POST<\/span>[<\/span>'password'<\/span>]<\/span>,<\/span> $password<\/span>)<\/span>)<\/span> {<\/span><\/code><\/pre>\n
With:<\/p>\n
<\/div>\n
if<\/span> (<\/span>$_POST<\/span>[<\/span>'password'<\/span>]<\/span> ===<\/span> $password<\/span>)<\/span> {<\/span><\/code><\/pre>\n
However, I don’t recommend removing the hashing functions because if somehow your database becomes exposed, all the passwords stored in the accounts table will also be exposed. In addition, the user will have a sense of privacy knowing their password is encrypted.<\/p>\n
Upon successful authentication from the user, session variables will be initialized and preserved until they’re destroyed by either logging out or the session expiring. These session variables are stored on the server and are associated with a session ID stored in the user’s browser. We’ll use these variables to determine whether the user is logged in or not and to associate the session variables with our retrieved MySQL database results.<\/p>\n
<\/i>Did you know?<\/strong>The session_regenerate_id() function will help prevent session hijacking as it regenerates the user’s session ID that is stored on the server and as a cookie in the browser.<\/p>\n<\/div>\n
The user cannot change the session variables in their browser and therefore you don’t need to be concerned about such matter. The only variable they can change is the encrypted session ID, which is used to associate the user with the server sessions.<\/p>\n
Now we can test the login system and make sure the authentication works correctly. Navigate to\u00a0http:\/\/localhost\/phplogin\/index.html<\/i>\u00a0in your browser.<\/p>\n
Type in a random username and password, and click the login button. It should output an error that should look like the following:<\/p>\n
\n
http:\/\/localhost\/phplogin\/authenticate.php<\/span><\/div>\n
\"Authentication<\/div>\n
Don’t worry, it’s not broken! If we navigate back to our login form and enter\u00a0test<\/i>\u00a0for both the username and password fields, the authentication page will look like the following:<\/p>\n
\n
http:\/\/localhost\/phplogin\/authenticate.php<\/span><\/div>\n
\"Authentication<\/div>\n
If you receive an error, make sure to double-check your code to make sure you haven’t missed anything or check if the\u00a0test<\/i>\u00a0account exists in your database.<\/p>\n
<\/a><\/a><\/a><\/a><\/div>
<\/a><\/a><\/a><\/a><\/div>","protected":false},"excerpt":{"rendered":"
4. Authenticating Users with PHP Now that we have our database setup, we can go ahead and start coding with PHP. We’re going to start with the authentication file, which […]<\/p>\n","protected":false},"author":301,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":""},"categories":[4],"tags":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9KaPo-lx","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1329,"url":"https:\/\/hostscripter.com\/?p=1329","url_meta":{"origin":1335,"position":0},"title":"Part 1: Create your own Login System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"In this tutorial, I'll be teaching you how you can create your very own secure PHP login system. A login form is what your website's visitors can use to log in to your website to access restricted content, such as a profile page. We will leverage MySQL to retrieve account\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/hostscripter.com\/?cat=4"},"img":{"alt_text":"Secure Login System with PHP and MySQL","src":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-login-system-php-mysql.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-login-system-php-mysql.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-login-system-php-mysql.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-login-system-php-mysql.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1343,"url":"https:\/\/hostscripter.com\/?p=1343","url_meta":{"origin":1335,"position":1},"title":"Part 1: Create your own Registration System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"This tutorial is a follow up to our previous tutorial\u00a0Secure Login System with PHP and MySQL. In this tutorial, we'll be creating a secure registration form and implementing basic validation. A registration form is what your website's visitors can use to register their details, which will subsequently be stored in\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/hostscripter.com\/?cat=4"},"img":{"alt_text":"Secure Registration System with PHP and MySQL","src":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-registration-system-php-mysql.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-registration-system-php-mysql.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-registration-system-php-mysql.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/posts\/secure-registration-system-php-mysql.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1341,"url":"https:\/\/hostscripter.com\/?p=1341","url_meta":{"origin":1335,"position":2},"title":"Part 7: Create your own Login System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"7. Creating the Logout Script Creating the logout script is straightforward. All you need to do is destroy the sessions that were declared in the authenticate file. Edit the\u00a0logout.php\u00a0file and add the following code:  Initialize sessions, destroy them,\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/hostscripter.com\/?cat=4"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1349,"url":"https:\/\/hostscripter.com\/?p=1349","url_meta":{"origin":1335,"position":3},"title":"Part 4: Create your own Registration System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"4. Registering Users with PHP & MySQL Now we need to create the registration file that will process the form fields, check for basic validation, and insert the new account into our database. The registration page will require a connection to our database and therefore we must include the necessary\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/hostscripter.com\/?cat=4"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1337,"url":"https:\/\/hostscripter.com\/?p=1337","url_meta":{"origin":1335,"position":4},"title":"Part 5: Create your own Login System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"5. Creating the Home Page The home page will be the first page our users see when they've logged-in. The only way they can access this page is if they're logged-in, whereas if they aren't, they will be redirected back to the login page. Edit the\u00a0home.php\u00a0file and add the following\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/hostscripter.com\/?cat=4"},"img":{"alt_text":"PHP Loggedin Home Page","src":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/phplogin\/loggedin-home-page.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/codeshack.io\/web\/img\/phplogin\/loggedin-home-page.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/phplogin\/loggedin-home-page.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/codeshack.io\/web\/img\/phplogin\/loggedin-home-page.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1339,"url":"https:\/\/hostscripter.com\/?p=1339","url_meta":{"origin":1335,"position":5},"title":"Part 6: Create your own Login System using PHP and MySql","author":"h05t5cr1pt3r","date":"November 28, 2022","format":false,"excerpt":"6. Creating the Profile Page The profile page will display the account information for the logged-in user. Edit the\u00a0profile.php\u00a0file and add the following code: