A Simple Login System Using PHP and MySQL

Marcos Riso's picture
By Marcos Riso
EMAIL ARTICLE
PRINT ARTICLE
Difficulty: Very Easy
Cost: Free

This is a simple login system that has been very reliable and secure for me. I use it myself on my websites, when a simple login system is needed. If you know a little of MySQL and PHP, it is very easy to use.

First, you will need MySQL instaled in your computer. I have XAMMP instaled and I use PHPmyADMIN for accessing my databases. They are free for download; just search for them online. You also need to create a database in your MySQL. And as you proceed, remember that linux server file names are always case sensitives. LOGIN.PHP is not equal to login.php like on WINDOWS servers.

  1. Run this SQL command in your MySQL database (you must have one):

    CREATE TABLE `users` (
    `id` int(3) NOT NULL auto_increment,
    `login` varchar(8) default NULL,
    `password` varchar(8) default NULL,
    PRIMARY KEY (`id`)
    ) TYPE=MyISAM AUTO_INCREMENT=3 ;

    This will create the table that will record the usernames and passwords.

  2. Then, create the LOGIN.PHP file. This page will contain the form that will submit the user´s data.

    <?
    session_name    ("MyLogin");
    session_start();
    session_destroy();

    if($_GET['login'] == "failed") {
     print $_GET['cause'];
    }
    ?>
    <form name="login_form" method="post" action="log.php?action=login">
    Login: <input type="text" name="user"><BR>
    Password: <input type="password" name="pwd"><BR>
    <input type="submit">
    </form>

  3. Now, create the LOG.PHP. This is the file that performs the action of the form.

    <?
    session_name    ("MyLogin");
    session_start();

    if($_GET['action'] == "login") {
     $conn = mysql_connect("localhost","user","password"); // your MySQL connection data
     $db = mysql_select_db("DATABASENAME"); //put your database name in here
    $name     = $_POST['user'];
     $q_user = mysql_query("SELECT * FROM USERS WHERE login='$name'");

    if(mysql_num_rows($q_user) == 1) {
    $query     = mysql_query("SELECT * FROM USERS WHERE login='$name'");
     $data = mysql_fetch_array($query);
     if($_POST['pwd'] == $data['password']) {
    session_register("name");
     header("Location: yourpage.php"); // success page. put the URL you want
    exit;
     } else {
     header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
     exit;
     }
     } else {
     header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
     exit;
     }
    }

    // if the session is not registered
    if(session_is_registered("name") == false) {
     header("Location: login.php");
    }
    ?>

  4. If you had enough attention, you noticed that the login will lead the user to YOURPAGE.PHP. Add these lines of code to all your pages that you want to secure (including yourpage.php):

    <?
    require("log.php");
    ?>

    Printing the user name in the screen is very easy. Just add this code:

    <? print $_SESSION["name"]; ?>

That´s it. It works out fine, but if you have any trouble with it, please contact me!!!

Marcos Riso

WebDeveloper - marcos@chipweb.com.br

Required Tools:
Computer
Code Editor
Internet Browser
Average rating:
Bookmark this article:    

Comments

Marcos, good tips. Unfortunately, it all looks like "greek" to me, I think I'll hire a pro!

Riley Klein's picture
By Riley Klein 28 weeks 1 day

    One point: You will need a server to run this code, because PHP is a server side scripting language. If you install the XAMMP package, as I wrote in the article, the Apache server will be set automatically in your computer. If you download and install MySQL only, it will not work. You will need to install the Apache Server.

    Marcos Riso's picture
    By Marcos Riso 28 weeks 1 day

      FYI, there's an SQL injection in there. If you're on a server with magic_quotes set to off, then that is bad news :(

      In the code:
      if(mysql_num_rows($q_user) == 1) {

      $query = mysql_query("SELECT * FROM USERS WHERE login='$name'");
      $data = mysql_fetch_array($query);

      You don't need to run the same query again :D

      Change it to:

      if(mysql_num_rows($q_user) == 1) {

      $data = mysql_fetch_array($q_user);

      Not trying to be mean or anything, just trying to help you out :)

      By James Smith 25 weeks 3 days

        Ah sorry, as another suggestion, try to avoid using short tags. Instead of <? use <?php.

        <?php is guaranteed to work on all php servers, while <? is set to off by default.

        A final security note: At the top:
        if($_GET['login'] == "failed") {
        print $_GET['cause'];
        }

        This allows for users to insert HTML into your page. All I have to do is add ?cause=alert(':)'); to the page.

        to fix:

        if($_GET['login'] == "failed") {
        print htmlentities($_GET['cause']);
        }

        Again, not trying to sound like a Jerk or anything, just letting you know about some security issues :D

        By James Smith 25 weeks 3 days

          Thank you James! You're right, I corrected my logins ...

          Marcos Riso's picture
          By Marcos Riso 11 weeks 3 days