edrackham » MySQL

PHP Login Script Tutorial

Ed — Wed, 06 Oct 2010 21:04:34 +0000

This PHP login script / tutorial will show you how you can have users register on your site, and log in to access secure areas. I have seen a few tutorials around the web which show how this can be done, but they all seem to lack in security. This user membership tutorial will show a better way of having users authenticated once logged in by using their session ID.

DEMO: HERE

The Table

Firstly, we need to create a table to store our users. I’m using phpMyAdmin to administer my database, so setting up the table is pretty easy for me. You can use the following SQL statement to create your `users` table, using whichever method you prefer:

CREATE TABLE `users` (
    `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
    `email` VARCHAR( 255 ) NOT NULL ,
    `password` VARCHAR( 32 ) NOT NULL ,
    `session_id` VARCHAR( 32 ) NULL ,
    `date_registered` DATETIME NOT NULL ,
    UNIQUE (`email`)
) ENGINE = MYISAM ;

A few things to note here:

We’re going to be hashing the passwords (using MD5), so we know that the password field will be exactly 32 characters in length
For extra security, we’re going to re-authenticate users across pages using their session ID, so we – again – need a field which is exactly 32 characters
We’re making the email field unique. This isn’t completely necessary, as we’ll be checking for duplicate email addresses within the register form, but it’s just an extra “lock on the door” so to speak. So if anything failed within the PHP code, the database would still fail on the insert.

The main config file

It makes sense to have an include which will set up a few things for us on every page we want to secure. This file should have the session_start() function call in it – because without this, we wouldn’t be able to use sessions at all! We also need to establish a database connection, and finally, check for an authenticated user.

Create a new file called config.php and paste the following code into it:

// Start the session (pretty important!)
session_start();

// Establish a link to the database
$dbLink = mysql_connect('YOUR HOSTNAME', 'YOUR USERNAME', 'YOUR PASSWORD');
if (!$dbLink) die('Can\'t establish a connection to the database: ' . mysql_error());

$dbSelected = mysql_select_db('YOUR DATABASE', $dbLink);
if (!$dbSelected) die ('We\'re connected, but can\'t use the table: ' . mysql_error());

// Run a quick check to see if we are an authenticated user or not
// First, we set a 'is the user logged in' flag to false by default.
$isUserLoggedIn = false;
$query 		= 'SELECT * FROM users WHERE session_id = "' . session_id() . '" LIMIT 1';
$userResult 	= mysql_query($query);
if(mysql_num_rows($userResult) == 1){
	$_SESSION['user'] = mysql_fetch_assoc($userResult);
	$isUserLoggedIn = true;
}else{
	if(basename($_SERVER['PHP_SELF']) != 'login.php'){
		header('Location: login.php');
		exit;
	}
}

Ok, so firstly we’re calling session_start(). This is an extremely important function to call if you want to use server-side session variables. This function should ALWAYS be called before any output has been sent to the browser – even newlines. It’s generally a good idea to just call session_start() at the very top of your code, on every page. Why are we using session variables anyway? Well, it’s much easier to handle arrays of data across pages if we do this. In this example, we will be storing the user’s details (such as name, email address etc…) within a session variable array, so we can access it on any number of secure pages we have.

Lines 5 to 9 are simply establishing a connection to our database. I’m not going to go into too much detail on how you use PHP to connect to a database, but you do need to replace the following four items within these lines:

YOUR HOSTNAME – This is generally localhost, but can be another named, or IP of a remote host where your database resides.
YOUR USERNAME – Replace this with your username for accessing your database.
YOUR PASSWORD – Replace this with your password for accessing your database.
YOUR DATABASE – Replace this with the name of your database you want to access.

The Auto-Authentication

Within the config.php file, I think it’d be a good idea to automatically authenticate the user. This means that every time a page is loaded (with our config.php file in the header) we’ll be doing a quick check to see if they’re authenticated, and if they are – we’ll set a boolean flag to indicate this, and a session based array full of their information.

Line 13 sets the boolean flag $isUserLoggedIn to false by default. Line 14 sets up a query to get any user who has the session id set to session_id(). session_id() is a PHP function which returns a 32 character length string with the user’s current session variable. This is a unique string that PHP will generate for every user on your site. This will timeout (change to a new session ID) based on the PHP ini setting session.gc_maxlifetime. Generally, you won’t need to change this timeout limit, but if you need to, you should be able to add the following to the top of the config file (just under session_start() should do fine):

ini_set(’session.gc_maxlifetime’, 60*60);

Which will set the timeout to one hour – 60 seconds multiplied by 60. You can make this even bigger if you like, but it’s a good idea to keep your timeouts down to around 30mins, so if a registered – and logged in – user leaves their computer for over 30mins, someone else won’t be able to use the secure area (as the session would have timed out).

Line 15 simply executes the query, and stores the return result of the query in $userResult.

Line 16 checks to see if we have a result returned. If we do, it means that we have found a user in our users table, with a session ID which exactly matches the result of session_id(). Therefore, it’s safe to say that the user is an already-logged-in user, and as such, we can authenticate them.

We do this on lines 17 and 18 by setting a session variable array $_SESSION['user'] to the array of data that we get back when we fetch the row of data, and then setting the $isUserLoggedIn flag to true.

The remaining lines in our config.php file are there so that we can handle what happens to a non-authenticated user. If no logged-in-user is found, we check to see what page we’re currently on. If we’re not on our login.php page, we redirect the user to our login.php page. We need to check that we’re not on the login page before doing the redirect, otherwise we’d end up putting the user in an infinite loop. For example, regardless of what page you’re on (including the login.php page), we’d ALWAYS be redirecting the user to the login.php page. Just under that we’re calling exit;. This should always be called after doing a header(‘Location: …’); call, as the page can still continue to render after the header has been executed, causing all sorts of problems.

The Login & Register Page

Yep – we’re clever, so we’re going to have the login and register functionality / forms on the same page!

Create a new file called login.php and copy the following code into it:

 12)
		$errors['loginPassword'] = 'Your password must be between 6-12 characters.';

	if(!$errors){
		$query 	= 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1';
		$result = mysql_query($query);
		if(mysql_num_rows($result) == 1){
			$user = mysql_fetch_assoc($result);
			$query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1';
			mysql_query($query);
			header('Location: index.php');
			exit;
		}else{
			$errors['login'] = 'No user was found with the details provided.';
		}
	}
}

// Register attempt
if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){
	$registerEmail = trim($_POST['email']);
	$registerPassword = trim($_POST['password']);
	$registerConfirmPassword 	= trim($_POST['confirmPassword']);

	if (!eregi("^[_a-z0-9-] (.[_a-z0-9-] )*@[a-z0-9-] (.[a-z0-9-] )*(.[a-z]{2,3})$", $registerEmail))
		$errors['registerEmail'] = 'Your email address is invalid.';

	if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)
		$errors['registerPassword'] = 'Your password must be between 6-12 characters.';

	if($registerPassword != $registerConfirmPassword)
		$errors['registerConfirmPassword'] = 'Your passwords did not match.';

	// Check to see if we have a user registered with this email address already
	$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1';
	$result = mysql_query($query);
	if(mysql_num_rows($result) == 1)
		$errors['registerEmail'] = 'This email address already exists.';

	if(!$errors){
		$query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '",
																		password = MD5("' . mysql_real_escape_string($registerPassword) . '"),
																		date_registered = "' . date('Y-m-d H:i:s') . '"';

		if(mysql_query($query)){
			$success['register'] = 'Thank you for registering. You can now log in on the left.';
		}else{
			$errors['register'] = 'There was a problem registering you. Please check your details and try again.';
		}
	}

}
?>



  
  Login to the secure area
  
  



  Login / Register Here

	
		Login
		' . $errors['login'] . ''; ?>

		Email Address
		
		' . $errors['loginEmail'] . ''; ?>

		Password 6-12 chars
		
		' . $errors['loginPassword'] . ''; ?>

		 
		
		
	

	
		Register
		' . $success['register'] . ''; ?>
		' . $errors['register'] . ''; ?>

		Email Address
		
		' . $errors['registerEmail'] . ''; ?>

		Password
		
		' . $errors['registerPassword'] . ''; ?>

		Confirm Password
		
		' . $errors['registerConfirmPassword'] . ''; ?>

It’s not as scary as it looks. Lines 1 to 66 contain the main PHP functionality for the page, whereas the rest is simple HTML markup with a few little extras for validation (which, again, many other similar tutorials don’t cover!).

We start by including our config.php file which we’ve just created. We’re assuming that the file is in the same directory as this login.php file. This can be changed easily, but just remember to either update your paths to your config file, or set a globally accessible variable to build the paths dynamically.

Because we have included that config.php file, we can already assume the following:

We have declared session_start(), so we don’t need to re-declare that at all.
We have a valid database connection
We have run a check for a valid, logged-in user

We’re then declaring two empty arrays to hold errors and success messages. This will be used for validating the form, and notifying the user that they have successfully registered.

Next, we have two main if statements. One for the login attempt, and one for the register attempt. Both of which are looking for a hidden form variable to be set, with a value of ‘true’. I do this, as it’s my preferred method for checking for a form post, but feel free to use whatever method of checking for a form submission you prefer. The way this setup works is that on a standard page load (i.e. without a form submission) neither of the if statements will return true, as no form data would have been sent to it – but if we submit one of the forms, it will post back to itself and be dealt with accordingly. I like this method, as it allows me to keep functionality specific to a certain page, contained within that page.

The Login Attempt If Block

We’re firstly cleaning the posted variables, by trim()-ing them. This removes whitespace from the left and right side of the variable. This also gets around people just posting empty form elements, or form elements which have only spaces in them.

This is also setting a variable that we’ll use further down the page when we get to the form. How many times have you filled out a form on the web, only to have it not validate and then be faced with the same form – but completely blank! We’re going to use the $loginEmail variable on the loginEmail form element as the value, so if they mistype something, at least they won’t have to write their email address again (provided they typed it right the first time). It’s more of a proof-of-concept thing, rather than a MUST-DO for this tutorial.

After those two lines comes the validation. We’re using a regular expression to validate the email address, and simply checking the string length of the password to ensure it falls between 6 and 12 characters. If either fail, the $error array will be populated with the appropriate error messages, which will be used further down the page when we get to the actual form.

Following that, we have another if statement checking to see if we don’t have any errors. If we don’t, we then look on the database for a user with the email address provided, and the password – which is MD5 hashed using the MD5() MySQL function. If we get a result (in other words, there is a user with the email address and password provided), we update that row for the user so that their session_id field in our database gets the value of the PHP provided session_id().

We then simply push them to our landing page for authenticated users – in this example, it’s index.php. As we’ll be including the config.php file across all secure pages, we know we don’t need to worry about anything else, because our config.php file does a user authentication check every page anyway .

The Register Attempt If Block

Very similar to the login attempt if block, but within this, we have a confirmPassword form element that we need to make sure matches the password form element, and lines 50 to 53 are also checking that the email address doesn’t exist within the database. We don’t want two people registering under the same email address!

Provided we have no errors, we insert a new record for the user into our users table, setting the email address, password (using MD5), and date registered. If the query succeeds when we execute it (on line 60), we can set a success message which will be displayed below, otherwise we set an error message.

The Forms

I’m not going to go into too much detail regarding the markup of the actual HTML page, but I will say that it is using HTML5 (for those unfamiliar), and there is a stylesheet included to aid the layout of the forms / labels. Feel free to create your own, or take mine from the actual tutorial itself.

The forms themselves (loginForm and registerForm) should be self explanatory, but you just need to note the following:

Both forms have their action set to $_SERVER['PHP_SELF']. This makes sure that the form posts the submitted data to the same page (which will be dealt with accordingly as in our main PHP block at the top of the page.
Within the forms I am checking for the existence of error or success array variables, such as $errors['loginEmail'], and if they exist, I’m outputting the error message wrapped in a div with appropriate styling.
The login form has a hidden form element called loginSubmit, whereas the register form has a hidden form variable called registerSubmit. They are both set to ‘true‘. This is so we can identify which form was submitted when we post the data to the page. There are other ways of doing this, but I find this the cleanest for this tutorial.
The register form has an extra field called confirmPassword, which is used to check that the user has entered their password correctly when they register.

And that is all we need for our login / register page.

The Secure Page(s)

Almost finally, we need to create a secure page to demonstrate this authentication / user membership is working.

Create a new file called index.php and copy in the following code:

Welcome to the secure area

Secure Area

This is one (of many potential) pages that reside in the secure area. All you need to remember to do is to include the config.php file, which handles the user authentication every time.

Your user details are as follows:

The magic here, is that we don’t need to to much at all! As you can see, we don’t need to do anything but include the config.php file. You can create as many secure pages as you like, but just remember to have the config file included at the top of your pages. This page will always ensure that your customers are logged in and authenticated at all times, and if they’re not – they’ll be pushed right back to the login.php page.

Logging a User Out

The final part of this tutorial is showing how we log a user out securely.

Create a new file called login.php and add the following code:

include_once('config.php');
$query = 'UPDATE users SET session_id = NULL WHERE id = ' . $_SESSION['user']['id'] . ' LIMIT 1';
mysql_query($query);
unset($_SESSION['user']);
header('Location: login.php');
exit;

Very simple. We’re simply updating the users table to set the currently logged in user’s session ID (as stored in the database) to NULL, unsetting the $_SESSION['user'] variable, then pushing them to the login.php page.

This concludes my simple – but secure – user membership / authentication tutorial using PHP and MySQL. You should have learned how to securely authenticate a user, track their authentication across multiple pages, and securely log them out. If you have any questions at all, please post them in the comments and I’ll do my best to answer them for you.

Don’t forget, there is a…

DEMO: HERE

Simple PHP MySQL Class

Ed — Tue, 17 Aug 2010 20:50:35 +0000

That’s right! I have a simple MySQL class file that you can use in your PHP projects. I’ve been using it for years, and it’s never let me down!

You can grab it on my Github: http://github.com/a1phanumeric/PHP-MySQL-Class.

Setup

The setup is simple:

Simply include this class into your project like so:

include_once('/path/to/class.MySQL.php');

Then make sure you have the following definitions set:

MYSQL_HOST
MYSQL_USER
MYSQL_PASS
MYSQL_NAME

I usually include them in a globally included config file.

MYSQL_HOST = The hostname of the MySQL server (usually, but not always, ‘localhost’).

MYSQL_USER = Your username for the server / database

MYSQL_PASS = Your password for the server / database

MYSQL_NAME = The name of your database

Usage

To use this class, you’d first init the object like so:

$oMySQL = new MySQL();

The class constructor will perform a connection to the database automatically. To execute statements simply use:

$oMySQL->ExecuteSQL($query);

There’s plenty more to do with this class, such as get instantly arrayed results using:

$oMySQL->ArrayResults();

Or:

$oMySQL->ArrayResultsWithKey();

So have a play and let me know what you think …or fork me!

The code is all here:

http://github.com/a1phanumeric/PHP-MySQL-Class

Get Random Row with MySQL Without ORDER BY RAND()

Ed — Wed, 05 Mar 2008 12:12:24 +0000

This is an update to a previous post of mine which uses the RAND() method. Using the following code, you can retrieve a random row much, much faster (MySQL 4.1.x/5.0.x), with thanks to Jan Kneschke:

SELECT FROM

AS r1
JOIN (SELECT ROUND(
RAND( ) * (
SELECT MAX( id ) FROM

)
) AS id
) AS r2
WHERE r1.id >= r2.id
ORDER BY r1.id ASC
LIMIT 1;

Replace:

with the name of the column(s) you wish to retrieve

with the name of the table you wish to retrieve the data from

I've tested this with a table with over 660,000 records, and got a response in 0.0200 seconds, whereas with ORDER BY RAND() i got a response in 2.1599 seconds.

Total Number of Rows:

Old Method:

New Method:

Get Random Row with MySQL

Ed — Sat, 09 Feb 2008 00:51:31 +0000

UPDATE: Please see my newer atricle on how to retrieve a random row, faster, without RAND().

This post assumes you know how to create and use a connection to a MySQL database in PHP and have a table named ‘quotes’ as shown below. In this post, I will aim to teach you how to use PHP to pull random quotes from a MYSQL table of quotes. This can be easily extended to pull a random banner as will be explained at the end of the post.

Let’s firstly assume we have a MySQL table similar to the following:

+----+------------------------------------------------+
| id | quote                                          |
+----+------------------------------------------------+
| 1  | I know Karate... and many other Chinese words! |
+----+------------------------------------------------+
| 2  | w00t this is geeky                             |
+----+------------------------------------------------+
| 3  | You're CLINICALLY MENTAL!                      |
+----+------------------------------------------------+

Now, in your PHP code, we need to:

Build a suitable MySQL query to obtain a random result from the ‘quotes’ table.
Store the result of the query to be used in the HTML somewhere.
Output the result in the HTML somewhere.

So, for step one we’d use something like the following:

$sSQLQuery = "SELECT quote FROM quotes ORDER BY RAND() LIMIT 1";
$aResult = mysql_query($sSQLQuery);
$aRow = mysql_fetch_array($aResult, MYSQL_ASSOC);
$sQuoteOfTheDay = $aRow['quote'];

There, the variable ‘$sQuoteOfTheDay’ now has the value of our randomly pulled quote. Let’s just analyse each line of the code above to see what it does.

$sSQLQuery = "SELECT quote FROM quotes ORDER BY RAND() LIMIT 1";

This line stores the MySQL query we’re going to use against the database. It says, in laymans terms, “Select just one random value of the quote field from the table named quotes”. All this line does though is store the query into the variable ‘$sSQLQuery’.

$aResult = mysql_query($sSQLQuery);

This line runs the MySQL query, storing the result of running the query in the variable ‘$aResult’. It’s important that we store the result of the mysql_query in a variable, as the result of running a successful MySQL query using PHP’s function ‘mysql_query’ doesn’t return a nicely formatted array that we can necessarily use.

$aRow = mysql_fetch_assoc($aResult);

This is probably the hardest line for me to explain. Firstly, many of you may have seen a similar line like this used in a ‘while’ loop. However, our MySQL query used the ‘LIMIT 1′ string, so we know we’re only going to get ONE result, hence no need for a loop. The function ‘mysql_fetch_assoc’ takes one parameter: the result of the successful ‘mysql_query’ which as we know is ‘$aResult’. My biggest tip here is to use the ‘assoc’ method wherever possible, as it creates the array in such a way that we can reference each element by the column name, not a number. This is particularly useful if you ever update the MySQL table to have more columns.

Anyway, this line basically says ‘Fill the variable ‘$aRow’ with the CURRENT row of the returned query’. We know that the CURRENT row of the returned query is the ONLY row, hence (again) the lack of a loop. As the result of our query would return something like:

+-----------------------------------------------+
| quote                                         |
+-----------------------------------------------+
| You're CLINICALLY MENTAL!                     |
+-----------------------------------------------+

Our variable (or array) would literally look something like:

Array ( "quote" = "You're CLINICALLY MENTAL!" )

Which leads us on to our last line:

$sQuoteOfTheDay = $aRow['quote'];

Which just assigns the value of ‘$aRow['quote']‘ to the variable ‘$sQuoteOfTheDay’. In other words, ‘$sQuoteOfTheDay’ now has the value of a random quote pulled from the database of quotes.

To use this in an HTML page, we would simply just use this (AFTER the above code has grabbed the random quote from the DB for us):

echo $sQuoteOfTheDay;

Which will output the quote of the day somewhere in the HTML code.

As I said at the beginning, this can be extended easily to pull an image for a banner by simply changing the quotes table to store image paths such as ‘images/my_image.png’ which can then be pulled in the same way, and then output similar to the following:

" alt="My Image" />

Obviously we changed the variable name here to $sImageOfTheDay just to keep things constant.

Hope this has helped someone!