The Login script is actually easier than some people make it out to be. There are a few ways you can go after the concept of logging in users.
There’s a simple way, and a more advanced way. Advanced in the sense that it doesnt just check if the query executes like in the simple way.
Here’s the simple way:
Login.php
<form action=”login.php?action=auth” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”text” name=”password”><br>
<input type=”submit” value=”Login”>
</form>
<?
if ($action == auth){ // An IF statement that basically tells the server, if action=auth is called, proccess the code within the brackets.
$username = $_POST['username']; //Collects the form data that is inputted in the name=username input field
$username = strip_tags($username); //Strips any html tags from the data. IMO a must for security integrity
$username = mysql_real_escape_string($username); //Adds backslashes to \x00, \n, \r, \, ‘, ” and \x1a. Another must for security
$pass = $_POST['password'];
$pass = strip_tags($pass);
$pass = mysql_real_escape_string($pass);
$pass1 = md5($pass); //Encrypts the inputted password using MD5. There are argueably better ways to do this, but this is the easiest, and IMO the only needed salt.
$check_login = mysql_query(“SELECT * FROM users WHERE username=’$username’ && password=’$pass1′”);
$check_login = mysql_fetch_assoc($check_login);
if ($check_login){
echo “Login Successful!”;
session_start(); //Starts a session
$_SESSION['user'] = $username; //Creates the $_SESSION['user'] and sets it as the inputted username
}else{
echo “Username/Password Incorrect!”;
}
}
?>
That’s the extremlely simple way of doing it. I’ve commented the code to explain what each part does. You can remove the parts that follow each // and the code will still work.
Now the more “advanced” way to do it. This is a favorite of mine, I use a variation of it in alot of my projects.
Login.php
<form action=”login.php?action=auth” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”text” name=”password”><br>
<input type=”submit” value=”Login”>
</form>
<?
if ($action == auth){ // An IF statement that basically tells the server, if action=auth is called, proccess the code within the brackets.
$username = $_POST['username']; //Collects the form data that is inputted in the name=username input field
$username = strip_tags($username); //Strips any html tags from the data. IMO a must for security integrity
$username = mysql_real_escape_string($username); //Adds backslashes to \x00, \n, \r, \, ‘, ” and \x1a. Another must for security
$pass = $_POST['password'];
$pass = strip_tags($pass);
$pass = mysql_real_escape_string($pass);
$pass1 = md5($pass); //Encrypts the inputted password using MD5. There are argueably better ways to do this, but this is the easiest, and IMO the only needed salt.
$grab_user = mysql_query(“SELECT * FROM users WHERE username=’$username’”);
$gr_us = mysql_fetch_assoc($grab_user);
$user_count = mysql_num_rows($grab_user);
if ($user_count <= 0){
echo “Username Doesn’t exist”;
}else{
if ($gr_us[password] == $pass1){
echo “Login Successful!”;
session_start();
$_SESSION['user'] = $username;
}else{
echo “Password Incorrect”;
}
}
?>
The only difference between the two is when the server checks to see if the user even exists to begin with. That way if the username doesn’t exist, then the server kicks out an error, and the script stops processing.
Enjoy!
