Join Kevin Skoglund for an in-depth discussion in this video Creating a login system, part of PHP with MySQL Essential Training (2013).
In this movie, we'll create the Login page. Process login attempts and if the user is successful we'll mark the user as being logged in as an admin. The easiest way for us to get started with a Login page that people can login from, is to start with our new Admin.php page. That already has a form that's pretty similar. So I'm just going to do Save As on that. We're going to call it login.php. Let's jump down to the form portion here. So, it's still going to say admin area at the top. I think that's still appropriate, even though we're not actually inside the admin area because the login page is the doorway to the admin area. I'm going to go ahead and have it say admin at the top. Don't need to have anything in the navigation.
We can still have our message and form errors. The h2 here is just going to say login. We want to make sure that the form is going to submit to itself, login.php and the username and the password we'll still use, but the label on the submit button is just going to say submit, and we won't need it to say cancel at the bottom. Alright, let's jump up to the form portion now If the person submits the form, we're going to process it. It's up to you whether you do these validations or not. We don't want to do the second one for max_lengths.
But the first one, to make sure that it's required, that's really optional. You can make sure that it's required if you want or you could go ahead and take a blank user name and password, and try and find those in the database. I'm going to go ahead and require them not to be blank before I process the form. If there are no errors. In other words, we have a user name and password. We're going to do something different here. We're going to attempt the login instead. And so this is all going to look very different. We're just going to take that out. Instead of writing sql right here, let's create a function that'll do this for us. I like functions. So let's say found admin equals attempt_login.
And it's going to take username and password as arguments. And so that'll handle everything for us. It'll either find the admin or it'll return something like null or false that will let us know that it didn't find them. And so if it finds an admin, we'll have success. We will then mark user as logged in. And redirect them to admin.php, that's our menu page. If there's failure, then we're going to return a message than can just say "login failed" or, I'm going to say "Username/password not found." Now notice that I did not tell them which one was wrong.
I didn't tell them, hey your username was wrong, or your password was wrong. I don't want to give them any clues. That might help them to hack the sight. Instead I'm just going to say, sorry login failed. That combination didn't work, just in general and it's up to you to try and figure out what you did wrong. Let's go up here and notice that we have user name and password. We're going to need to set those user name, which is going to equal to post, user name and password will be the same thing.
But password. Now, part of the reason that I set these to other variables instead of just passing post directly in here, is because I want to be able to use username. Down here in the form as a value. If they've submitted the form previously then I want to echo back that username to them. I think that is a nice user interface feature. PHP echo htmlentities username and that way they don't have to type their username again just because they got their password wrong.
It always irritates me when I go to websites and I have to refill out the whole thing both my username and password just because I mistyped my password. We're not going to do that for password though because you can't see it anyway. It's going to have those dots there, so there's no way for us to see a type and correct it or anything like that. And of course, if I'm going to display the username some of the time, then I need to make sure I have a value all of the time. So that means that instead of just here, if errors are empty having a username, I need to have one all the way up here at the very top, username equals, I just need my $ sign at the beginning.
So now I have a default value which is an empty string. That'll always be available for the form. So let's just try it out. Let's open up Firefox and go to login.php. And there we go and let's just submit it with no username and password and you'll see that I get my errors there. So that's the, the beginning of it. If we submit it with a correct username and password or even an incorrect one, we want it to now attempt to login. So we need this function written for attempt_login. So we'll go create that and then we'll come back over here and we'll market eh user as logged in if they succeed. So let's do attempt log in, I'm going to close that up, we'll open up functions and down here at the bottom below password check, function attempt login, which is going to take two arguments, user name, password. And let's think about what this is going to do for a second. What do we want to do to attempt a log-in.
Well we want to compare and find out if the database has this user name password combination. In order to check the password though remember we need to use our password check function that we wrote which needs an existing hash. That existing hash is stored in the database. So its a two step process. We first have to look up the user. And if we find the user then take their existing hash and compare it against a password. If we don't find a user obviously the login failed or if the password doesn't match it failed. So two step process. Find the user then find their password. So finding the user, finding this admin, we've actually done before. We had find admin by id.
It's the exact same process, so I'm actually going to just copy that whole function and I'm just going to paste it right here below it, find_admin_by user name. That's the only difference is that instead of using the admin id to find them, we're going to find them by their user name. So everything else works pretty much the same. We going to take user name it gets passed on and we are gong to use MySQL real escape string on that and then will put it into our SQL query. Select all from admins where username equals now we use safe username.
We also need to make sure we put single quotes around that 'cause its a string, alright? Before, it was an integer. Now its a string, so we need to put those quote marks. That'll then look for that in the database and return admin_set and it will either return an admin or return null. We don't need to make any other changes to it, that's it. We're just finding a user by username instead of finding them by ID. So let's take that function and drop down here and use it. So we'll just say admin equals, find admin by username, we'll pass in whatever we have as a username.
So if we have that admin, right? The other choices would have returned null to us. So if we find the admin, then we found admin, now check password. And if not, then admin not found and we'll just return false. Now I could return null here but I'm going to return false for attempt login, it seems more appropriate that it would return a true or false type thing. So found admin, now check password so how do we check the password? We use our password check function up here.
So let's just copy this portion. So if password check password. And existing hash isn't existing hash anymore, it's going to be the admin and then the column there is hash password. That's where our existing hash lives. Let me just open this window a little bit wider. So if we check the password and it we get back either true, remember password check either returns true or false. So if it returns true then password matches and we can return, I'm going to return the actual admin, this hash.
I'll return that back to the user instead of true so that then they can use that admin because we're going to want to use that. And if not, then password does not match will return false. Notice that I'm returning false whether the admin was found or whether the password does not match. I'm not making a distinction. So it's not possible to tell from the attempt login function which one went wrong. I just know that it didn't get back at admin, so it must not have worked. So let's save that. Let me just double check it real quick.
It all looks good. Let's jump back over to our login.php page. So attempt-login will either get an admin back or not. If if has an admin, then mark the user as logged in. So how do we do that? Well, we could put something in the cookie. Like this, admin id and that's going to be equal to the found admin id. So we find an admin and set a cookie equal to that. The problem with cookies is that cookies remember are visible to the user by default in their browser. And on top of that we saw that cookie data can actually be faked as well. So we don't want to trust something that's this important to put in a cookie. It's much better to put it in a session.
Then the user can't see it. It's on the server side. They can see the session id and know where the session is, what the name of the session is but that doesn't help them. It doesn't allow them to put any data in there or anything. So it's much more secure for us to use the session in this case. And then, let's also go ahead and store the username. And the reason I'm doing this is not to make sure that they're logged in, which is what I'm going to use admin_id for, this is just for convenience. This is going to allow me to always know what this person's username is. Every page, I can just pull this value out of the session and I'll know what their username is. I can display it up in the header if I want or I can use it inside the text to refer to them.
I can store it whenever they make certain changes. I'll always know what this persons username is and I don't have to go back to the database to look it up. Alright, so let's actually try that real quick. Let's close this and let's go to admin.php. And when we have welcome to the admin area, let's just put the user's name here. So welcome to the admin area and we need to get that out of the session. let's do echo htmlentities and then on that, we're going to use session username.
Right and then that value will be there. If they are logged in and they're able to get to this page, then we will know what their username is. Notice that I'm using session here but a long time ago, I never set up this admin page to use the session. Any page that's going to need to refer to it is also going to need to call it. So that will set up the session for us. So now we have the session and will pull up the value and go. Let's try it. So let us go to our log in page. Now if you remember what your admins are. If you don't remember you can just jump back over to manage admins.php and you can see what list of admins you have.
You can also create an admin here if you don't have one yet. I'm going to use kskoglund as the admin. Now notice we were able to go to this page without being logged in. We'll talk about that in a second. But for now, I'm just going to try out my login system. Username, my password I believe was secret, submit and there we are. Now I'm on admin.php. Welcome to the admin area, Kskoglund was able to pull it up. Now, like I said. We are able to go to these other pages like manage admins without being logged in. That wasn't a requirement of this page. That's because we don't have anyone checking for that hand stamp yet. We don't have anyone enforcing that on every page saying check to see if the user's logged in.
If not, redirect them back to the login page. That's what were going to do in the next movie.
- What is PHP?
- Installing and configuring PHP and MySQL
- Exploring data types
- Controlling code with logical expressions and loops
- Using PHP's built-in functions
- Writing custom functions
- Building dynamic webpages
- Working with forms and form data
- Using cookies and sessions to store data
- Connecting to MySQL with PHP
- Creating and editing database records
- Building a content management system
- Adding user authentication
Skill Level Beginner
Q: This course was revised on 6/4/2013. What changed?
A: The old version of this course was 6 years old and it was time for a complete revision, using PHP 5.4. (The tutorials will work with any version of PHP and covers any differences you might encounter). The author has also added updated installation instructions for Mac OS X Mountain Lion and Windows 8. The topics and end project are the same, but the code is slightly different. It also addresses frequently asked questions from the previous version.
Q: This course was updated on 5/20/2015. What changed?
A: We added one movie called "Changing the document root in Yosemite," which helps the Mac installation run more smoothly.