Using PHP Encryption for Login Authentication
Following up on " Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.
We start with the login script.
The Login Script
The login script ensures that unauthorized users don't access other people's diary contents. Every user who wants to use a diary needs to have it registered. The login code below shows both file- and database-based methods for authenticating a user.
| 1 | <?php |
| 2 | session_start(); |
| 3 | include "global.php"; |
| 4 | |
| 5 | |
| 6 | if(isset($_POST['submit'])){ |
| 7 | //get stored password from database |
| 8 | $sql= "SELECT id,name FROM users WHERE pass='".MD5($_POST['pw'])."'"; |
| 9 | $res = mysql_query($sql); |
| 10 | if($res){ |
| 11 | $row= mysql_fetch_assoc($res); |
| 12 | $name= $row['name']; |
| 13 | $_SESSION['name'] =$name ; |
| 14 | $_SESSION['id'] =$row['id'] ; |
| 15 | header("location:editor.php"); |
| 16 | }else{ |
| 17 | echo "Your details did not match"; |
| 18 | exit; |
| 19 | } |
| 20 | } |
| 21 | /**IF your password is stored in a txtfile |
| 22 | |
| 23 | if(isset($_POST['submit'])){ |
| 24 | |
| 25 | //get pass from file |
| 26 | if(file_exists('passfile.txt')){ |
| 27 | //open up the file |
| 28 | if($file_pointer = fopen('passfile.txt','r')){ |
| 29 | $pass=fread($file_pointer,15); |
| 30 | //echo $pass; |
| 31 | fclose($file_pointer); |
| 32 | //compare the hashed password against the pass from the form |
| 33 | if(md5($_POST['pw'])==$pass){ |
| 34 | header("location:editor.php"); |
| 35 | } |
| 36 | |
| 37 | |
| 38 | }else{ |
| 39 | echo "An error occurred while reading the file"; |
| 40 | } |
| 41 | }else{ |
| 42 | echo "Could not carry out the file operation because file does not exists."; |
| 43 | }//fileexists |
| 44 | */ |
| 45 | |
| 46 | ?> |
| 47 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| 48 | <html> |
| 49 | <head> |
| 50 | |
| 51 | <title>Untitled Document</title> |
| 52 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> |
| 53 | <style type="text/css"> |
| 54 | <!-- |
| 55 | .style1 { |
| 56 | font-size: 36px; |
| 57 | font-weight: bold; |
| 58 | } |
| 59 | --> |
| 60 | </style> |
| 61 | </head> |
| 62 | |
| 63 | <body> |
| 64 | <form action="login.php" method="post"> |
| 65 | <table width="100%" border="1"> |
| 66 | <tr> |
| 67 | <td colspan="2"><span class="style1">My Diary Login </span></td> |
| 68 | </tr> |
| 69 | <tr> |
| 70 | <td width="14%"> </td> |
| 71 | <td width="86%"> </td> |
| 72 | </tr> |
| 73 | <tr> |
| 74 | <td>Login:</td> |
| 75 | <td><input type="password" name="pw"></td> |
| 76 | </tr> |
| 77 | <tr> |
| 78 | <td> </td> |
| 79 | <td><input type="submit" name="submit" value="submit"></td> |
| 80 | </tr> |
| 81 | </table> |
| 82 | |
| 83 | </form> |
| 84 | |
| 85 | </body> |
| 86 | </html> |
| view plain | print | ? |
Whether you use the file-based or database-based method is entirely up to you. Either way, the page should look like Figure 1.
Figure 1. Login Page for Online Diary Application
To start with, the PHP portion of the code processes the data that is sent from the login form. It then uses one of the two authentication methods.
Database-based Authentication
Because we will store some data into session variables, we first start a session for the user. Then we include the
global.php file that contains the database-connection details:
| 1 | <?php |
| 2 | session_start(); |
| 3 | include "global.php"; |
| view plain | print | ? |
Now we start authenticating the user. We start off by checking if the form has been submitted:
| 1 | if(isset($_POST['submit'])){ |
| view plain | print | ? |
Then we build a SQL statement to retrieve the stored password from the database:
| 1 | //get stored password from database |
| 2 | $sql= "SELECT id,name FROM users WHERE pass='".MD5($_POST['pw'])."'"; |
| view plain | print | ? |
We run the SQL statement using the
mysql_query() function:
| 1 | $res = mysql_query($sql); |
| view plain | print | ? |
Next, we test to see if any results have been returned:
| 1 | if($res){ |
| view plain | print | ? |
If results have been returned, we fetch the record using MySQL's
mysql_fetch_assoc() function:
| 1 | $row= mysql_fetch_assoc($res); |
| view plain | print | ? |
We store the name and ID of the user in session variables:
| 1 | $name= $row['name']; |
| 2 | $_SESSION['name'] =$name ; |
| 3 | $_SESSION['id'] =$row['id'] ; |
| view plain | print | ? |
Then we redirect the user to the text editor page:
| 1 | header("location:editor.php"); |
| view plain | print | ? |
If the
$res variable does not contain any results, then the user who is trying to log in either does not exist or has mistyped their login details. In either case, the details will not match, so we show an error message:
| 1 | }else{ |
| 2 | echo "Your details did not match"; |
| 3 | exit; |
| 4 | } |
| 5 | } |
| view plain | print | ? |
File-based Authentication
The second method of authentication is when you store your details in a file. The logic for retrieving the password is the same as that for doing it with the database server. First we check if the file that we want to open exists:
| 1 | /**IF your password is stored in a txtfile |
| 2 | |
| 3 | if(isset($_POST['submit'])){ |
| 4 | |
| 5 | //get pass from file |
| 6 | if(file_exists('passfile.txt')){ |
| view plain | print | ? |
Then we open the file to read the contents. To do this, we need to specify the file name and opening mode:
| 1 | //open up the file |
| 2 | if($file_pointer = fopen('passfile.txt','r')){ |
| view plain | print | ? |
Then we read the file using the
fread() function and store the results in the
$pass variable:
| 1 | $pass=fread($file_pointer,15); |
| 2 | |
| 3 | |
| 4 | //echo $pass; |
| view plain | print | ? |
Then we close the file, because we got what we wanted from it:
| 1 | fclose($file_pointer); |
| view plain | print | ? |
The password that is stored in the file is now stored in the
$pass variable. The password is already hashed, so it is actually a 32-character string as opposed to a plain text string. So we have to compare the user-submitted password with the password that is retrieved from the file. The following line of code does exactly that.
| 1 | //compare the hashed password against the pass from the form |
| 2 | if(md5($_POST['pw'])==$pass){ |
| 3 | header("location:editor.php"); |
| view plain | print | ? |
If the passwords match, we send the user over to the editor script. If they do not, then we show the following message:
| 1 | }else{ |
| 2 | echo "your details did not match"; |
| 3 | |
| 4 | } |
| view plain | print | ? |
If an error occurs while trying to read the file, we show this error message:
| 1 | }else{ |
| 2 | |
| 3 | |
| 4 | echo "An error occurred while reading the file"; |
| 5 | } |
| 6 | }else{ |
| view plain | print | ? |
Similarly, if we cannot find the file that we want to open, we write a similar error message:
| 1 | echo "Could not carry out the file operation because file does not exists."; |
| 2 | }//fileexists |
| 3 | */ |
| 4 | |
| 5 | ?> |
| view plain | print | ? |
HTML Portion of Login Page
The HTML portion of the login page is very easy to understand. First, the HTML headers are set and some styles are defined:
| 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| 2 | <html> |
| 3 | <head> |
| 4 | <title>Untitled Document</title> |
| 5 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> |
| 6 | <style type="text/css"> |
| 7 | <!-- |
| 8 | .style1 { |
| 9 | font-size: 36px; |
| 10 | font-weight: bold; |
| 11 | } |
| 12 | --> |
| 13 | </style> |
| 14 | </head> |
| 15 | |
| 16 | <body> |
| view plain | print | ? |
Then the form tag is created:
| 1 | <form action="login.php" method="post"> |
| view plain | print | ? |
Then the table is created, the table headers are set, and all the other formatting is done:
| 1 | <table width="100%" border="1"> |
| 2 | <tr> |
| 3 | <td colspan="2"><span class="style1">My Diary Login </span></td> |
| 4 | </tr> |
| 5 | <tr> |
| 6 | <td width="14%"> </td> |
| 7 | <td width="86%"> </td> |
| 8 | </tr> |
| view plain | print | ? |
The form then presents the user with a
textfield element that will take the password:
| 1 | <tr> |
| 2 | <td>Login:</td> |
| 3 | <td><input type="password" name="pw"></td> |
| 4 | </tr> |
| view plain | print | ? |
Finally the form button is defined:
| 1 | <tr> |
| 2 | <td> </td> |
| 3 | <td><input type="submit" name="submit" value="submit"></td> |
| 4 | </tr> |
| 5 | </table> |
| 6 | |
| 7 | </form> |
| 8 | |
| 9 | </body> |
| 10 | </html> |