How to Create a Secure Login Script in PHP and MySQL
Jul 02, 2012, by admin
Have you ever worried that your login scripts are insecure? For assurance, follow this guide on how to create a secure login script in PHP and MySQL. If you haven’t created login or similar scripts in PHP and MySQL before, try the more simplest How to Create a Basic Login Script in PHP guide.
Easy steps
1.Install PHP and MySQL on your server.
2.Create a MySQL database with your database manager. This how to guide will assume you named the database test, but you may name it anything.
Example
CREATE TABLE `members` (
`username` varchar(20),
`password` varchar(128)
)
3.Create a MySQL table named members. It should hold two columns, username and password, both of the varchar data type with a maximum of 20 and 128 letters. Length of the password column is determined by chosen hash algorithm (such as sha512 used in this example).
Example:
<form action=”process_login.php” method=”post”>
Username: <input type=”text” name=”username” /><br />
Password: <input type=”password” name=”password” /><br />
<input type=”submit” value=”Login” />
</form>
4.Create the login form. This must be a HTML form with two text fields, named username and password. A submit form is also required. Make sure action is set to the processing PHP page and method as post.
Example (Logging in to MySQL server):
$host = ‘localhost’; // Host name Normally ‘LocalHost’
$user = ‘root’; // MySQL login username
$pass = ”; // MySQL login password
$database = ‘test’; // Database name
$table = ‘members’; // Members name
mysql_connect($host, $user, $pass);
mysql_select_db($database);
Example (Sanitising variables and running query):
$username = mysql_real_escape_string($_POST[‘username’]);
$password = hash(‘sha512’, $_POST[‘password’]);
$result = mysql_query(“SELECT * FROM $table WHERE username = ‘$username’ AND password = ‘$password’
“);
Example (Validating):
if(mysql_num_rows($result))
{
// Login
session_start();
$_SESSION[‘username’] = htmlspecialchars($username); // htmlspecialchars() sanitises XSS
}
else
{
// Invalid username/password
echo ‘<p><strong>Error:</strong> Invalid username or password.</p>’;
}
// Redirect
header(‘Location: http://www.example.com/loggedin.php’);
exit;
5.Create the login processing page. If following our previous example, this should be named process_login.php. You must use mysql_real_escape_string() to escape of the username from SQL injections and use a hashing function such as hash with sha512 for extra security.
Example:
<div style=”background-color: #f9f9f9; border: 1px solid silver; color: #110000;height:auto;width:60% !important; padding:10px;”>
sdfsdasdasd324324
</div>
6.Check logged in status. Do this by checking if username is in the session variables, you may also display their username.
Example:
session_start();
session_destroy();
header(‘Location: http://www.example.com/’);
7.Create a logout script. Your logout script must start the session destroy it and then redirect to somewhere else.
