ad

Wednesday, 6 May 2015

Beginners tutorial on how to make a basic login script in PHP using PDO extension

As the title says, I will be going through the process of making a very simple logging in system in PHP.
I am assuming you have a basic PHP, PDO and SQL knowledge, but even if you do not, I will be explaining every step in layman's terms. If you still do not understand something, feel free to email me or simple leave a comment below.

For this script to work, you will obviously need a table that contains registered users information, such as username and password, and of-course a primary key column - user_id in our case.

My table(registered_users ) is structured like this. 
user_id      ||      username      ||      user_password
1               |       phpdevsami     |      123456
2               |       brown24         |       5656kilo

Here is an overview of what we will be doing.
  1. We will first of all check if a session exists or not, it the session exists, which also means user is logged in, we will not show and form, on the other and if session does not exist, we will display the form. Basically you do not want to show the form if user is logged in.
  2. Our form will send data to "process_login.php" file. In this file we will check if user has submitted the form, whether fields has been filled, and finally we will send username and password to database and try matching it against the already existing information in the database.
  3. Finally if we find matched information in step 2 we will create a session and direct user to homepage.

Explanation:
POST[] is an associative array that contains all the data that's posted from a form. More about POST and GET method on my other tutorial. 
session_start() function will start the function. Session is a simple way of storing information into a variable that will be available across multiple pages. Session is not stored in user computer but in a server with unique session ID. 
session_destroy() function ends the session.
isset() function checks if variable is set and is not NULL.
$_SESSION[] is an array, you give it a name and value, which can then be accessed on other pages.
include() function includes a desired file to current page.
empty() function checks if the variable has any value or not.

Our files:
index.php
process_login.php
process_login.php
logout_user.php

Lets start with index.php, it does exactly what I mentioned in step 1.
    session_start();
    if(!isset($_SESSION["logged_in"])){
        include("login_form.html");
    }else{
        echo "Hello, " . $_SESSION["logged_in"] . "</br>";
        echo "<a href=\"logout_user.php\"> Logout </a>";
    }

Here's our login form from login_form.php. Just a basic HTML form.
        <form method="POST" action="process_login.php">
            <label for="username"> Your username: </label>
            <input id="username" name="username" type="text" required > </br>
           
            <label for="password"> Your password: </label>
            <input id="password" name="password" type="password" required> </br>
           
            <input name="login" type="submit" value="Login" required>
        </form>

process_login.php processing all the information, making requests to database and checking if user and password exist in the database. Creating session if they do, showing message if they do not.
class Process_login
    {
        function __construct($conn)
        {
            $this->conn = $conn;
            if(isset($_POST["login"])){
               
                if( (!empty($_POST["username"])) && (!empty($_POST["password"])) ){
               
                    $username = $_POST["username"];
                    $user_password = $_POST["password"];
                   
                    $select_data = $this->conn->prepare("SELECT username, user_password FROM registered_users WHERE username = :username and user_password = :user_password");
                    $select_data->execute(array(':username'=>$username, ':user_password'=>$user_password));
                    $select_user_and_pass = $select_data->fetch(PDO::FETCH_ASSOC);
                   
                    if(!empty($select_user_and_pass)){
                        session_start();
                        $_SESSION["logged_in"] = $username;
                        header("location: index.php");
                    }else{
                        echo "Wrong username or password </br>";
                        echo "<a href=\"index.php\"> Try again </a>";
                    }
                }else{
                    echo "Please fill in all the fields";
                }
            }
        }
   
    }
    $process_login = new Process_login($conn);

And finally logout_user.php, ending the session. Logging user out.
    session_start();
    if(!isset($_SESSION["logged_in"])){
        echo "To logout, you'd need to login first, <a href=\"index.php\"> login here </a>";
    }else{
        echo "You've been logged out " . $_SESSION["logged_in"] . "</br>";
        echo "<a href=\"index.php\"> Return to homepage </a>";
        session_destroy();
    }

Posted by at

2 comments:

  1. Anonymous6 May 2015 at 11:51

    Oh my GOD this is insecure... like... even if it is harder to teach someone the secure way, you should never teach them the insecure way anyway...

    ReplyDelete
    Replies
    1. Unknown6 May 2015 at 12:12

      I'd love to know the vulnerabilities in the code above.
      Thanks for the comment : )

      Delete

Subscribe to: Post Comments (Atom)