This tutorial will attempt to teach you how to build a rudimentary login system for your site. It's assumed that you understand MySQL concepts, as well as session variables and form handling.

To begin, you will need to create a new table in your database named 'users'. In this database create three new fields 'id' (primary key), 'username', 'password'. You can add more fields as you need them later. For now we're just going to worry about checking for an existing username and password combination.

Next, create your html page with the login form. Below is a quick sample of a form you can build.



Please notice that we are using the POST method for the form. This is to ensure that the username and password aren't passed as URL parameters, which is a security flaw for obvious reasons.

Next we'll code our checkLogin.php page. This page is going to select all the rows with matching username and password combinations. There should only be one row that does so, which is our valid row. I'm not going to cover data integrity here, but you'll definitely want to sanitze your data from SQL injection. Keeping in the theme of my tutorials though, I only want to focus on the task at hand.



You may want to consider posting the form to PHP_SELF for basic error handling, or you can pass error messages through the url parameter, it's up to you. As I said, this is just a rudimentary example of how to set up a basic user login script. From here, if you want to check and see if a user is logged in, just put the following at the top of a page.



Naturally there are many different ways to achieve the same thing in PHP. This script is great for basic logins, but may not be what you need for something more complex. Adapt it to your needs or just use it as a place to begin learning. Hope everything is clear with the instructions. As usual, questions and comments are more than welcome. Take care.

This post has been edited by akozlik: 22 May, 2008 - 02:11 PM

Damn, this was actually supposed to be submitted under Tutorials. I resubmitted it under that category, but I can't seem to close it out here. If the Admin or Moderators can help let me know.

Just a tip - you don't have a submit button on your form.

Indeed I didn't. It's edited. Thanks for catching that.

Thank you for this. Very easy to follow!

Rich

for a basic script, it's actually pretty good... however I would suggest adding in some type of password hashing, such as MD5 or SHA-1....

you also might want to include setting up the database....

now, since it's a tutorial, and a basic one, I won't go into the more detailed, such as COUNT(*)

I definitely agree with the hashing. I meant to mention something about it, but I forgot. You should definitely be hashing your passwords before you store them in the database, and then hash the login password and check that against the one stored.

Also, using COUNT is a good idea. That just shows that there are many different ways to achieve the same affect. Using COUNT would actually be more efficient, but I figured this would be a good way to get people started on user authentication.

Thanks for the comments and suggestions.

And how about some protection from SQL Injection?

Yeah I mentioned that in the tutorial to look into SQL injection as well. I just wanted to keep this tutorial simple so people could understand the concepts behind user authentication systems. SQL Injection is something that could be covered in its own tutorial, as it's a beast all of its own.

Also, in response to the hash comment, I recently wrote a tutorial on hash techniques. It can be found here. That could be integrated with this tutorial for the truly adventurous. Check them out if you get a chance.