This is a beginner’s tutorial on how to construct user registration and login forms using PHP’s PDO object. As it stands, there are hundreds of “PHP login tutorials” floating around on the web. Unfortunately, the vast majority of them use insecure password hashing methods and extensions that are now considered to be outdated (I’m looking at you, mysql_query).
User table structure.
I’ve kept things simple by using an extremely basic table structure. Obviously, you can customize this and add your own columns to this table if you need to (email address and name, etc). This tutorial assumes that our login is based on a username and password combination (as opposed to an email and password combination). You can import the following table structure into your database:
Note: I have added a unique index to the username column. This is because a username must be unique!
Connect.
The first order of business is to connect to MySQL using the PDO object. For a more in-depth tutorial on this, you should read my tutorial “Connecting to MySQL with PHP”. For the purpose of this tutorial, I have created a file called connect.php, which we will include throughout our scripts:
The code above will connect to a MySQL database using the PDO extension. You will need to read the comments that are littered throughout the code and change the MySQL connection details to match your own!
User Registration Form.
Before a user can login, he or she will need to signup to our website by using a registration form. If the registration is successful, we will insert a new user account into our users table.
A few things to note:
- We are using ircmaxell’s password_compat library. This will work for PHP version 5.3.7 and above. If you are lucky enough to be using a PHP version that is 5.5 or above, then you’ll be happy to know that the password_hash function is already built-in.
- We are using a respected password hashing algorithm called BCRYPT. Other login tutorials make the mistake of promoting hashing algorithms such as md5 and sha1. The problem with md5 and sha1 is that they are “too fast”, which basically means that password crackers can “break them” at a much quicker rate.
- You will need to add your own error checking to this registration form (username length, what type of characters are allowed, etc). You will also need to implement your own method of handling user errors as the code above is pretty basic in that respect. For further help on this subject, be sure to check out my tutorial on handling form errors in PHP.
- If the insert code above looks completely foreign to you, then you should probably check out my article on Inserts with PDO.
User Login with PHP.
A basic example of a website login w/ PHP and the PDO object:
Step by step explanation of the code above:
- We start the session by using the function session_start. This function MUST be called on every page.
- We require the password_compat library.
- We require our connect.php file, with connects to MySQL and instantiates the PDO object.
- If the POST variable “login” exists, we assume that the user is attempting to login to our website.
- We grab the field values from our login form.
- Using the username that we were supplied with, we attempt to retrieve the relevant user from our MySQL table. We do this by using a prepared SELECT statement.
- If a user with that username exists, we compare the two passwords by using the function password_verify (this takes care of the hash comparison for you).
- If the password hashes match, we supply the user with a login session. We do this by creating two session variables called “user_id” and “logged_in”.
- We then redirect the user to home.php, which is our login-protected page.
Note: You will need to implement your own way of dealing with user errors. In this tutorial, I am using the die statement, which is a bit nasty.
Protected page.
Our protected page is called home.php. I’ve kept it simple:
Step-by-step:
- I start the session by using session_start. This is important, as our login system will not work without a valid user session.
- We check to see if the user has the required session variables (user ID and login timestamp). If the user does not have either of these session variables, we simply redirect them back to the login.php page. Obviously, you can customize this to suit your own needs.
- We print out a test message, just to show that the login system is functioning as expected.
0 comments:
Post a Comment