Making a login form using PHP

Here is the HTML code for the login form.

<form id='login' action='login.php' method='post' accept-charset='UTF-8'> <fieldset > <legend>Login</legend> <input type='hidden' name='submitted' id='submitted' value='1'/> <label for='username' >UserName*:</label> <input type='text' name='username' id='username'  maxlength="50" /> <label for='password' >Password*:</label> <input type='password' name='password' id='password' maxlength="50" /> <input type='submit' name='Submit' value='Submit' /> </fieldset> </form>

Logging in

We verify the username and the password we received and then look up those in the database. Here is the code:

function Login() {     if(empty($_POST['username']))     {         $this->HandleError("UserName is empty!");         return false;     }           if(empty($_POST['password']))     {         $this->HandleError("Password is empty!");         return false;     }           $username = trim($_POST['username']);     $password = trim($_POST['password']);           if(!$this->CheckLoginInDB($username,$password))     {         return false;     }           session_start();           $_SESSION[$this->GetLoginSessionVar()] = $username;           return true; }

In order to identify a user as authorized, we are going to check the database for his combination of username/password, and if a correct combination was entered, we set a session variable.
Here is the code to look up the username and password.

function CheckLoginInDB($username,$password) {     if(!$this->DBLogin())     {         $this->HandleError("Database login failed!");         return false;     }              $username = $this->SanitizeForSQL($username);     $pwdmd5 = md5($password);     $qry = "Select name, email from $this->tablename ".         " where username='$username' and password='$pwdmd5' ".         " and confirmcode='y'";           $result = mysql_query($qry,$this->connection);           if(!$result || mysql_num_rows($result) <= 0)     {         $this->HandleError("Error logging in. ".             "The username or password does not match");         return false;     }     return true; }

Please notice that we must compare the value for the password from the database with the MD5 encrypted value of the password entered by the user. If the query returns a result, we set an “authorized” session variable, and then redirect to the protected content. If there are no rows with the entered data, we just redirect the user to the login form again.

Access controlled pages

For those pages that can only be accessed by registered members, we need to put a check on the top of the page.
Notice that we are setting an “authorized” session variable in the login code above. On top of pages we want to protect, we check for that session variable. If user is authorized, we show him the protected content, otherwise we direct him to the login form.
Include this sample piece of code on top of your protected pages:

<?PHP require_once("./include/membersite_config.php"); if(!$fgmembersite->CheckLogin()) {     $fgmembersite->RedirectToURL("login.php");     exit; } ?>

See the file: access-controlled.php in the downloaded code for an example.
Here is the CheckLogin() function code.

function CheckLogin() {      session_start();      $sessionvar = $this->GetLoginSessionVar();             if(empty($_SESSION[$sessionvar]))      {         return false;      }      return true; }

These are the basics of creating a membership site. Now that you have the basic knowledge, you can experiment with it and add new features, such as a “Forgot password” page to allow the user to retrieve or change his password if he forgets it.