A Simple Login System Using PHP and MySQL

Marcos Riso's picture
By Marcos Riso
Difficulty: Very Easy
Cost: Free

This is a simple login system that has been very reliable and secure for me. I use it myself on my websites, when a simple login system is needed. If you know a little of MySQL and PHP, it is very easy to use.

First, you will need MySQL instaled in your computer. I have XAMMP instaled and I use PHPmyADMIN for accessing my databases. They are free for download; just search for them online. You also need to create a database in your MySQL. And as you proceed, remember that linux server file names are always case sensitives. LOGIN.PHP is not equal to login.php like on WINDOWS servers.

how to make a login

  1. Run this SQL command in your MySQL database (you must have one):

    CREATE TABLE `users` (
    `id` int(3) NOT NULL auto_increment,
    `login` varchar(8) default NULL,
    `password` varchar(8) default NULL,
    PRIMARY KEY (`id`)
    ) TYPE=MyISAM AUTO_INCREMENT=3 ;

    This will create the table that will record the usernames and passwords.

  2. Then, create the LOGIN.PHP file. This page will contain the form that will submit the user´s data.

     

    <?
    session_name    ("MyLogin");
    session_start();
    session_destroy();

    if($_GET['login'] == "failed") {
     print $_GET['cause'];
    }
    ?>
    <form name="login_form" method="post" action="log.php?action=login">
    Login: <input type="text" name="user"><BR>
    Password: <input type="password" name="pwd"><BR>
    <input type="submit">
    </form>

  3. Now, create the LOG.PHP. This is the file that performs the action of the form.

     

    <?
    session_name    ("MyLogin");
    session_start();

    if($_GET['action'] == "login") {
     $conn = mysql_connect("localhost","user","password"); // your MySQL connection data
     $db = mysql_select_db("DATABASENAME"); //put your database name in here
    $name     = $_POST['user'];
     $q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'");

    if(mysql_num_rows($q_user) == 1) {
    $query     = mysql_query("SELECT * FROM USERS WHERE login='$name'");
     $data = mysql_fetch_array($query);
     if($_POST['pwd'] == $data['password']) {
    session_register("name");
     header("Location: yourpage.php"); // success page. put the URL you want
    exit;
     } else {
     header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
     exit;
     }
     } else {
     header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
     exit;
     }
    }

    // if the session is not registered
    if(session_is_registered("name") == false) {
     header("Location: login.php");
    }
    ?>

  4. If you had enough attention, you noticed that the login will lead the user to YOURPAGE.PHP. Add these lines of code to all your pages that you want to secure (including yourpage.php):

     

    <?
    require("log.php");
    ?>

    Printing the user name in the screen is very easy. Just add this code:

    <? print $_SESSION["name"]; ?>

That´s it. It works out fine, but if you have any trouble with it, please contact me!!!

Marcos Riso

WebDeveloper - marcos@chipweb.com.br

Required Tools:
Computer
Code Editor
Internet Browser
Average rating:
EMAIL ARTICLE
PRINT ARTICLE
Bookmark this article:    

Comments

Marcos, good tips. Unfortunately, it all looks like "greek" to me, I think I'll hire a pro!

Riley Klein's picture
By Riley Klein 1 year 27 weeks

    One point: You will need a server to run this code, because PHP is a server side scripting language. If you install the XAMMP package, as I wrote in the article, the Apache server will be set automatically in your computer. If you download and install MySQL only, it will not work. You will need to install the Apache Server.

    Marcos Riso's picture
    By Marcos Riso 1 year 27 weeks

      FYI, there's an SQL injection in there. If you're on a server with magic_quotes set to off, then that is bad news :(

      In the code:
      if(mysql_num_rows($q_user) == 1) {

      $query = mysql_query("SELECT * FROM USERS WHERE login='$name'");
      $data = mysql_fetch_array($query);

      You don't need to run the same query again :D

      Change it to:

      if(mysql_num_rows($q_user) == 1) {

      $data = mysql_fetch_array($q_user);

      Not trying to be mean or anything, just trying to help you out :)

      By James Smith 1 year 25 weeks

        Ah sorry, as another suggestion, try to avoid using short tags. Instead of <? use <?php.

        <?php is guaranteed to work on all php servers, while <? is set to off by default.

        A final security note: At the top:
        if($_GET['login'] == "failed") {
        print $_GET['cause'];
        }

        This allows for users to insert HTML into your page. All I have to do is add ?cause=alert(':)'); to the page.

        to fix:

        if($_GET['login'] == "failed") {
        print htmlentities($_GET['cause']);
        }

        Again, not trying to sound like a Jerk or anything, just letting you know about some security issues :D

        By James Smith 1 year 25 weeks

          Thank you James! You're right, I corrected my logins ...

          Marcos Riso's picture
          By Marcos Riso 1 year 11 weeks

            Thanks for these tips and also the comments to enhance it.

            Mary Norton's picture
            By Mary Norton 48 weeks 4 days

              Useful and informative article. One suggestion: use password data type of password field instead of varchar. Then u also need to use passwd() function in reading and writing into this field.

              By Syed Feroz Zainvi 48 weeks 1 day

                Its a good tutorial for beginners. So security should not be a prime issue when learning how this code works.
                But, in "real" life, this script would need tons of security fixes. Such as stripping tags, magic quotes, base_64 encode for session username, md5 hash for password, force login attacks (by disabling the submit button and creating a cookie to disable multiple processing), and use a verification image or question to prevent bots.

                By Michael Muggler 46 weeks 4 days

                  Hello, I am very new to php and mysql. I was wondering if you can help me in setting up the database itself. I am getting the below errors when i go the the page. Any help would be greatly appreciated. I want people to have to be registered in order to visit certain pages. Thanks in advance.

                  Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/rxp/public_html/index.php:6) in /home/rxp/public_html/index.php on line 310

                  Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/rxp/public_html/index.php:6) in /home/rxp/public_html/index.php on line 310
                  Login:
                  Password:

                  Warning: require(log.php) [function.require]: failed to open stream: No such file or directory in /home/rxp/public_html/index.php on line 325

                  Warning: require(log.php) [function.require]: failed to open stream: No such file or directory in /home/rxp/public_html/index.php on line 325

                  Fatal error: require() [function.require]: Failed opening required 'log.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rxp/public_html/index.php on line 325

                  By Rob Thompson 42 weeks 6 days

                    To Rob Thompson:

                    To fix your problem you need to start your pages with the "<?php"-tag and end the PHP-script before your HTML-code begins. Like this:

                    <?php
                    // This is the first thing you put in your page.
                    ?>
                    And here goes your HTML-code.

                    If you do that with all the pages that use PHP I think it will solve your problem.

                    By Pål Bang 32 weeks 4 days
                      12next ›last »