Most of the Websites have a sort of private section where normal users are not allowed. You can think about an ADMIN section where the webmaster finds his CMS, a private area with sensitive personal information or even just the email manager you use to handle your emails.
All of these cases have something in common: they restrict access to allowed users only, with a login system.
To create an authentication system you will need:
- A database, a table called users with at least three columns: id, username, password
- A HTML form where users fill in their usernames and passwords
- A PHP script that will check if usernames and passwords provided actually exist
- A private area users can access only if successfully logged in
STEP 1. create a table called users:
a) Use PhpMyAdmin or any other GUI to quickly create a table
|
1 2 3 4 5 6 7 |
CREATE TABLE `examples`.`users` ( `id` INT( 5 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY , `username` VARCHAR( 50 ) NOT NULL , `password` VARCHAR( 50 ) NOT NULL ) |
b) Insert a couple of users:
|
1 2 3 4 5 6 7 8 9 10 11 |
INSERT INTO `examples`.`newUsers` ( `id` , `username` , `password` ) VALUES ( NULL , 'john', SHA1('johnPsw' ) ), ( NULL , 'james', SHA1('jamesPsw') ), ( NULL , 'jim', SHA1('jimPsw' ) ); |
PLEASE NOTE: we are using the SHA1() function to encrypt passwords.
STEP 2. login form:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
<!-- LOGIN FORM in: admin/index.php --> <form method="post" action="#"> <p><label for="u_name">username:</label></p> <p><input type="text" name="u_name" value=""></p> <p><label for="u_pass">password:</label></p> <p><input type="password" name="u_pass" value=""></p> <p><button type="submit" name="go">log me in</button></p> </form> <!-- A paragraph to display eventual errors --> <p><strong><?php if(isset($error)){echo $error;} ?></strong></p> |
STEP 3. php script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
<?php #admin/index.php #####[make sure you put this code before any html output]##### //connect to server $dbc = mysqli_connect('localhost','root','') or die('could not connect: '. mysqli_connect_error()); //select db mysqli_select_db($dbc, 'examples') or die('no db connection'); //check if the login form has been submitted if(isset($_POST['go'])){ #####form submitted, check data...##### //step 1a: sanitise and store data into vars (storing encrypted password) $usr = mysqli_real_escape_string($dbc, htmlentities($_POST['u_name'])); $psw = SHA1($_POST['u_pass']) ; //using SHA1() to encrypt passwords //step2: create query to check if username and password match $q = "SELECT * FROM users WHERE name='$usr' AND pass='$psw' "; //step3: run the query and store result $res = mysqli_query($dbc, $q); //make sure we have a positive result if(mysqli_num_rows($res) == 1){ ######### LOGGING IN ########## //starting a session session_start(); //creating a log SESSION VARIABLE that will persist through pages $_SESSION['log'] = 'in'; //redirecting to restricted page header('location:restricted.php'); } else { //create an error message $error = 'Wrong details. Please try again'; } }//end isset go ?> <!-- HTML FORM GOES HERE --> |
STEP 4. restricted page:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<?php #admin/restricted.php #####[make sure you put this code before any html output]##### //starting the session session_start(); //checking if a log SESSION VARIABLE has been set if( !isset($_SESSION['log']) || ($_SESSION['log'] != 'in') ){ //if the user is not allowed, display a message and a link to go back to login page echo "You are not allowed. <a href="index.php">back to login page</a>"; //then abort the script exit(); } /** * #### CODE FOR LOG OUT #### click here to see the logout tutorial */ ?> <!-- RESTRICTED PAGE HTML GOES HERE --> |