Now we need to create the script that will allow the user to submit their username and password, check if they are correct and, if so, register them as session variables. Once we register the session variables the user will be deemed as “logged in”, $logged_in will be true until they ‘log out.’
<?php
// database connect script.
require 'db_connect.php';
if($logged_in == 1) {
die('You are already logged in, '.$_SESSION['username'].'.');
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php
if (isset($_POST['submit'])) { // if form has been submitted
/* check they filled in what they were supposed to and authenticate */
if(!$_POST['uname'] | !$_POST['passwd']) {
die('You did not fill in a required field.');
}
// authenticate.
if (!get_magic_quotes_gpc()) {
$_POST['uname'] = addslashes($_POST['uname']);
}
$qry = "SELECT username, password FROM users WHERE username = '".$_POST['uname']."'";
$check = $db_object->query($qry);
if (DB::isError($check) || $check->numRows() == 0) {
die('That username does not exist in our database.');
}
$info = $check->fetchRow();
// check passwords match
$_POST['passwd'] = stripslashes($_POST['passwd']);
$info['password'] = stripslashes($info['password']);
$_POST['passwd'] = md5($_POST['passwd']);
if ($_POST['passwd'] != $info['password']) {
die('Incorrect password, please try again.');
}
// if we get here username and password are correct,
//register session variables and set last login time.
$date = date('m d, Y');
$qry = "UPDATE users SET last_login = '$date' WHERE username = '".$_POST['uname']."'";
$update_login = $db_object->query($qry);
$_POST['uname'] = stripslashes($_POST['uname']);
$_SESSION['username'] = $_POST['uname'];
$_SESSION['password'] = $_POST['passwd'];
$db_object->disconnect();
?>
<h1>Logged in</h1>
<p>Welcome back <?php echo $_SESSION['username']; ?>, you are logged in.</p>
<?php
} else { // if form hasn't been submitted
?>
<h1>Login</h1>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table align="center" border="1" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td>
<input type="text" name="uname" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="passwd" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
</body>
</html>
Now we have our ‘log in’ script. When the user loads this page they are presented with a form that allows them to submit their username and password. We then check if thatsuers is in the database, if it is we take the password associated with that username and compare it with the user’s submitted password, if they match the user submitted the correct information. We can register the username and password (encrypted) as session variables. Now these session variables will be subject to inspection by the check_login.php script, authenticating the user each time a page is loaded, allowing us to use our $logged_in variable to check for a correct log in. When the user has done, it’s a good idea to allow them to “log out”.
Allow them to ‘log out’
To log a user out we simply destroy their session variables and their session.
File: logout.php
<?php
require 'db_connect.php'; // database connect script.
if ($logged_in == 0) {
die('You are not logged in so you cannot log out.');
}
unset($_SESSION['username']);
unset($_SESSION['password']);
// kill session variables
$_SESSION = array(); // reset session array
session_destroy(); // destroy session.
header('Location: index.php');
// redirect them to anywhere you like.
?>
That script is very simple, once the session variables are unset the check_login.php script will set $logged_in to zero, so they will not be classed as “logged in”.
- Introduction
- Connecting to the database
- Creating the table
- Sign Up
- Check if they are "logged in"
- Allow them to 'log in'
- Usage
- Conclusion
