Jump to content

[TUTORIAL] Basic PHP Login System.


CoconutJJ

Recommended Posts

Here's a fully working login system. Where users can sign up and access a members page.

Features Include:

- Login & Sign Up Page

- Members Page Only

 

**NOTE: I have not added any security code, you'll need to add this by yourself...**

 

Step 1: Creating a Login and Sign Up Form.

 

This will be a simple login page where users can enter their username and password, then click the submit button to access the members page. "login.php" will be the script that will be executed when they login. This processes the user information entered to check the validity through a database of users.

HTML LOGIN FORM:<form method="post" action="login.php"><input type="text" placeholder="username" name="username"><input type="password" placeholder="password" name="password"><input type="submit" value="Submit"></form>

This will be a simple register page where users can enter their desired username and password, then click the submit button to register button to make an account. "register.php" will be the script that will be executed when they register. This processes the user information and enters the information to the database

<form method="post" action="register.php"><input type="text" placeholder="Desired Username"><input type="password" placeholder="Desired Password"><input type="password" placeholder="Password Again"><input type="submit" value="Register"></form>

Step 2: Creating the login.php and register.php scripts

Login Script<?phpsession_start(); //Starts User Session... will explain laterinclude("connect.php")//I'm going to assume you know how to connect to a database.$username = $_POST["username"];$password = $_POST["password"];//Sanitize DATA HERE//Assuming you have the corresponding column names...$q = mysqli_query($connect, "SELECT * FROM users WHERE username='$username' AND password='$password' ")$numrows = mysqli_num_rows($q);//Here we get the number of rows that correspond with the users informationif($numrows == 1){//If the number of rows is equal to 1, let them loginwhile($rows = mysqli_fetch_assoc($q)){//Here we retrieve values from database and initiate SESSION Variables  $_SESSION["username"] = $row["username"]; $_SESSION["password"] = $row["password"];}header("location: memberspage.php")//redirect to members page... information correct.} else {header("location: index.php")//go back to login page... information incorrect.//error message here...}
Register Script<?phpsession_start(); //Starts User Session... will explain laterinclude("connect.php")//I'm going to assume you know how to connect to a database.$username = $_POST["username"];$password = $_POST["password"];$password2 = $_POST["confirm"];//Sanitize DATA HEREif($password == $password2){//Assuming you have the corresponding column names...$q = mysqli_query($connect, "SELECT * FROM users WHERE username='$username'")$numrows = mysqli_num_rows($q);//Check if username is taken...if($numrows == 0){//If the number of rows is equal to 0, let them register$q = mysqli_query($connect, "INSERT INTO users (username, password) VALUES ('$username', '$password")header("location: index.php")//redirect to login page//login success message here} else {header("location: index.php")//go back to login page//username taken message}} else {//password no match message}

Step 3: Members Page

 

This is the members page... you can only access this page after login.

memberspage.php<?phpif(!isset($_SESSION["username"])){//IF user is not logged in, redirect to login page. This checks whether the username session var has been created yet.header("location: index.php");}//else... load the members page?><!DOCTYPE html><!--HTML HERE FOR MEMBERS PAGE-->

This is pretty much it... Remember to change column names where necessary... Don't forget the connect.php file !

 

Its is suggested you change mysqli_query() to prepared statements. You can do this on your own.

Edited by CoconutJJ
Link to comment
Share on other sites

Your code is open to SQL injection. In simple terms, it's easy to hack your website.

 

Since your passwords aren't encrypted, not only can they extract all the information out of the database with SQL injection, but they'll also have all the passwords available too

Link to comment
Share on other sites

I have not added any security code, you'll need to add this by yourself...Its is suggested you change mysqli_query() to prepared statements. You can do this on your own.

What's the point of this tutorial? You show some code that, if someone copies and follows, is going to create a horribly insecure system, and then you tell people to add security by themselves? This tutorial is obviously aimed at a beginner programmer that doesn't know how to log people in, how are they going to know how to sanitize values and use prepared statements? This doesn't help new programmers, this gives them something that appears to "work" in simple situations, but in reality is full of bad practice. New programmers should not be learning bad practices from the start. New tutorials need to show prepared statements and things like password hashing. Knowing how to insert some data into a database in an insecure way isn't something we want to teach people.

//Starts User Session... will explain later

But you don't explain it later, and you also don't start the session on the member page before checking if they're logged in.

//I'm going to assume you know how to connect to a database.

Why would you assume that there is a programmer out there who knows how to connect to a database but not process a login form?Other than that, your code has multiple fatal syntax errors, so you didn't even test what you posted. So, what exactly is this tutorial trying to teach people?
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...