How to Create a Secure Login Script in PHP and MySQL

Jul 02, 2012, by admin

php-and-mysqlHave you ever worried that your login scripts are insecure? For assurance, follow this guide on how to create a secure login script in PHP and MySQL. If you haven’t created login or similar scripts in PHP and MySQL before, try the more simplest How to Create a Basic Login Script in PHP guide.

Easy steps

1.Install PHP and MySQL on your server.

2.Create a MySQL database with your database manager. This how to guide will assume you named the database test, but you may name it anything.

Example

CREATE TABLE `members` (

  `username` varchar(20),

  `password` varchar(128)

)

3.Create a MySQL table named members. It should hold two columns, username and password, both of the varchar data type with a maximum of 20 and 128 letters. Length of the password column is determined by chosen hash algorithm (such as sha512 used in this example).

Example:

<form action=”process_login.php” method=”post”>

Username: <input type=”text” name=”username” /><br />

Password: <input type=”password” name=”password” /><br />

<input type=”submit” value=”Login” />

</form>

 4.Create the login form. This must be a HTML form with two text fields, named username and password. A submit form is also required. Make sure action is set to the processing PHP page and method as post.

Example (Logging in to MySQL server):

$host = ‘localhost’; // Host name Normally ‘LocalHost’

$user = ‘root’; // MySQL login username

$pass = ”; // MySQL login password

$database = ‘test’; // Database name

$table = ‘members’; // Members name

 

mysql_connect($host, $user, $pass);

mysql_select_db($database);

Example (Sanitising variables and running query):

$username = mysql_real_escape_string($_POST[‘username’]);

$password = hash(‘sha512’, $_POST[‘password’]);

 

$result = mysql_query(“SELECT * FROM $table WHERE username = ‘$username’ AND password = ‘$password’

“);

Example (Validating):

if(mysql_num_rows($result))

{

  // Login

  session_start();

  $_SESSION[‘username’] = htmlspecialchars($username); // htmlspecialchars() sanitises XSS

}

else

{

  // Invalid username/password

  echo ‘<p><strong>Error:</strong> Invalid username or password.</p>’;

}

 

// Redirect

header(‘Location: http://www.example.com/loggedin.php’);

exit;

5.Create the login processing page. If following our previous example, this should be named process_login.php. You must use mysql_real_escape_string() to escape of the username from SQL injections and use a hashing function such as hash with sha512 for extra security.

Example:

<div style=”background-color: #f9f9f9; border: 1px solid silver; color: #110000;height:auto;width:60% !important; padding:10px;”>

 

sdfsdasdasd324324

 

</div>

6.Check logged in status. Do this by checking if username is in the session variables, you may also display their username.

Example:

session_start();

session_destroy();

header(‘Location: http://www.example.com/’);

7.Create a logout script. Your logout script must start the session destroy it and then redirect to somewhere else.