Jul 02, 2012, by admin
Have you ever worried that your login scripts are insecure? For assurance, follow this guide on how to create a secure login script in PHP and MySQL. If you haven’t created login or similar scripts in PHP and MySQL before, try the more simplest How to Create a Basic Login Script in PHP guide.
1.Install PHP and MySQL on your server.
2.Create a MySQL database with your database manager. This how to guide will assume you named the database test, but you may name it anything.
Example
CREATE TABLE `members` (
`username` varchar(20),
`password` varchar(128)
)
3.Create a MySQL table named members. It should hold two columns, username and password, both of the varchar data type with a maximum of 20 and 128 letters. Length of the password column is determined by chosen hash algorithm (such as sha512 used in this example).
Example:
<form action=”process_login.php” method=”post”>
Username: <input type=”text” name=”username” /><br />
Password: <input type=”password” name=”password” /><br />
<input type=”submit” value=”Login” />
</form>
4.Create the login form. This must be a HTML form with two text fields, named username and password. A submit form is also required. Make sure action is set to the processing PHP page and method as post.
Example (Logging in to MySQL server):
$host = ‘localhost’; // Host name Normally ‘LocalHost’
$user = ‘root’; // MySQL login username
$pass = ”; // MySQL login password
$database = ‘test’; // Database name
$table = ‘members’; // Members name
mysql_connect($host, $user, $pass);
mysql_select_db($database);
Example (Sanitising variables and running query):
$username = mysql_real_escape_string($_POST[‘username’]);
$password = hash(‘sha512’, $_POST[‘password’]);
$result = mysql_query(“SELECT * FROM $table WHERE username = ‘$username’ AND password = ‘$password’
“);
Example (Validating):
if(mysql_num_rows($result))
{
// Login
session_start();
$_SESSION[‘username’] = htmlspecialchars($username); // htmlspecialchars() sanitises XSS
}
else
{
// Invalid username/password
echo ‘<p><strong>Error:</strong> Invalid username or password.</p>’;
}
// Redirect
header(‘Location: http://www.example.com/loggedin.php’);
exit;
5.Create the login processing page. If following our previous example, this should be named process_login.php. You must use mysql_real_escape_string() to escape of the username from SQL injections and use a hashing function such as hash with sha512 for extra security.
<div style=”background-color: #f9f9f9; border: 1px solid silver; color: #110000;height:auto;width:60% !important; padding:10px;”>
sdfsdasdasd324324
</div>
6.Check logged in status. Do this by checking if username is in the session variables, you may also display their username.
Example:
session_start();
session_destroy();
header(‘Location: http://www.example.com/’);
7.Create a logout script. Your logout script must start the session destroy it and then redirect to somewhere else.