User authentication

Well the below code is very simple and works ok. You may want to consider if it secure enough for your needs. For instance make the password MD5 ect

Login Script could be similiar to this

<?php session_start();
include('db_config.php');
$errmsg_arr = array();
$errflag = false;
include ("database.php");
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
$login = clean($_POST['login']);
$password = clean($_POST['password']);
if($login == '') {
	header("Location:../index.php"); 
	exit();	
} elseif(strlen($login) > 7){
	header("Location:../accessdenied.php"); 
	exit();	
}
if($password == '') {
	header("Location:../index.php"); 
	exit();	
}
$qry="SELECT user_id, user_name, access from users WHERE user_id='$login' AND password='$password'";
$result=mysql_query($qry);
if($result)
{
if(mysql_num_rows($result) == 1) {
session_regenerate_id();
$user = mysql_fetch_assoc($result);
$_SESSION['SESS_USER_ID'] = $user['user_id'];
$_SESSION['SESS_USER_NAME'] = $user['user_name'];
$_SESSION['SESS_ACCESS'] = $user['access'];
header("location:../{$_SESSION['SESS_ACCESS']}.php");
session_write_close();
exit();			
}else {			
header("location:../loginfailed.php");
exit();
}
}else {
die("ERR- The connection to the database has failed, or the Query has failed");
}
?>

Put this at the top of each page after your logged in.

<?php
if(!isset($_SESSION['USER_ID']) || (trim($_SESSION['USER_ID']) == '')) {
include("accessdenied.php");
exit();
}
else{
if(!isset($_SESSION['SESS_ACCESS'])){
include("accessdenied.php");
}}
?>

You could even have if statements that relate to the access in the DB. eg if (access!="admin"){ show access denied ect }

Just to let you know I have written a tutorial for this and it has been in the holding que for the past 23 hours. At the moment I'm waiting for staff writers to approve it but when it's approved I shall give you the link.

Thanks for the reply but it is very basic and not secure at all isn't it!

Just to let you know I have written a tutorial for this and it has been in the holding que for the past 23 hours. At the moment I'm waiting for staff writers to approve it but when it's approved I shall give you the link.

Welcome back :)

Hi cwarn,
is there any chance I can read your tutorial?
Thanks

Hi cwarn,
is there any chance I can read your tutorial?
Thanks

Just a few moments ago the tutorials have been moved from the Editorial to the php category and will in the next few days be in the Tutorials category. So to view a tutorial on how to create a login system without databases then click here. Keep in mind that tutorial is there to teach you the basics of a login system and how it should work. If you want a mass production login system like for a forum then you will probably want to insert the passwords into a mysql database and double hash the passwords with salts along with the inner hash being substr().

Hi,

I want to authenticate user if he/she successfully logged in before or not, in every pages. Obviously on top of the pages I have to call a function or another page to run that function to carry out checks but, I really don't know what kind of code I have to use in function.

I read a lot of codes about sessions with hash, salt, session id, ip, timestamp etc but all blame each others code. I know nothing is perfect but at least I need someone to tell me "use this one" so I can use it so I need your help.

What do I set in session when logged in successfully and how do I validate those values in authentication function?

Thanks in advance

PHPAcademy Have that in the list of videos. Note, it is a tutorial not for production