Basicly you only need 3 things for a secure user database.
- You need the register form.
- You need the login form.
- You need the database.
So here's how it works. (simpled down of corse)
Start with the register form. (register.php)
Put this code in the head of the PHP page.
PHP Code:
<?php
//If user submitted the form and entered greater than $max and less than $min characters.
$max = 12; //Max is set to 12.
$min = 3; //Min is set to 3.
if( strlen($_POST['user']) >= ($min) && strlen($_POST['user']) <= ($max) ) {
$user=$_POST['user'];
$pass=$_POST['pass'];
$pass2=$_POST['pass2'];
//If passwords don't match, record error and display message.
if($pass != $pass2) {
echo ('<p>passwords do not match.<br> <a href="'.$_SERVER['HTTP_REFERER'].'">Try Again</a> </p>');
if(strlen($bad)<1) {
$bad=1;
} else {
$bad+=1;
}
}
if(strlen($bad)<1) {
include('connect.php');
// Perform the encryption (leaving first 2 letters of pass the same)
$salt = substr($_POST['pass'], 0, 2);
$pass = crypt($_POST['pass'], $salt);
$insert='INSERT INTO `users` (`user`,`pass`) VALUES("'.$user.'", "'.$pass.'")';
$sql=mysql_query($insert) or die(mysql_error());
echo ('User: '.$user.'<br>Pass: '.$pass.'<br> Created!');
echo('<meta http-equiv="refresh" content="5;URL=login.php" />');
echo('<p><a href="login.php">Refreshing in 5 seconds..</a></p>');
}
}
?>
Put this code in the body of the PHP page.
Code:
<form name="regi" id="regi" action="register.php" method="post" />
<p>
<strong>Username: </strong>
<input type="text" name="user" id="user" value="<?=$user?>" />
<br>
<strong>Password: </strong>
<input type="password" name="pass" id="pass" value="<?=$pass?>" />
<br>
<strong>Repeat Pass:</strong>
<input type="password" name="pass2" id="pass2" value="<?=$pass2?>" />
<br>
<input type="submit" name="submit" id="submit" value="Submit" />
</form>
</p>
That's a registration form.- We found out if the user submitted the form.
- When they do, check to see if passwords match.
- If there are no errors, encrypt the pass, and add data to database.
Now, before any of this will work, you need a connect page. (connect.php)
PHP Code:
<?php
// --------------------------- Edit SQL Connect Info --------------------------- //
$sql_host = "host";
$sql_user = "user";
$sql_pass = "pass";
$sql_database = "database";
// ------------------------- DO NOT EDIT BELOW THIS LINE ---------------------------- //
$db = mysql_connect($sql_host, $sql_user, $sql_pass) or die("Could not connect.");
if(!$db)
die("no db");
if(!mysql_select_db($sql_database,$db))
die("No database selected.");
?>
Put your mysql database information where you see "host", etc..
Before that will work, you need a database to put everything.
EDIT: Click here to see the alternative.- Open PhpMyAdmin. Create a table called users with 3 fields(columns,rows)
- first field name: ID type: BIGINT extra: auto-increment Set to: Primary Key.
- second field name: user type: VARCHAR length: 45 Set to: Unique.
- third field name: pass type: text
- Save.
Now your register page should work.
Finally you need the login page (login.php)
Put this at the very start of your page:
PHP Code:
<?php
session_start();
//You can log users out with a link to this: login.php?logout=AnyTextHere
if(strlen($_REQUEST['logout'])>0) {
session_destroy();
echo('<meta http-equiv="refresh" content="1;URL=login.php" />');
echo('<p>Logged out.<br><a href="login.php">Refreshing in 1 second..</a></p>');
}
?>
- This needs to be above the <html> tag, and everything else.
- The purpose of the session_start() is to let the page know that it needs to look for session varriables.
- The purpose of the conditional statement there, is to log users out after they click a logout link or button.
Put this at the head of your page:
PHP Code:
<?php
if(!isset($_SESSION['user'])) {
if(isset($_POST['submit'])) {
include("connect.php");
// Perform the encryption (leaving first 2 letters of pass the same)
$salt = substr($_POST['pass'], 0, 2);
$pass = crypt($_POST['pass'], $salt);
//Load user details from SQL Database
$userSelect = 'SELECT * FROM `users` WHERE `user` = "'.$_POST['user'].'" AND `pass` = "'.$pass.'" LIMIT 1';
$userQuery = mysql_query($userSelect) or die("Can not find ".$_POST['user']."<br><a href='".$_SERVER['HTTP_REFERER']."'>Try Again</a>");
while($userRow=mysql_fetch_array($userQuery)) {
//Define Session Variables
$_SESSION['user'] = $userRow['user'];
$_SESSION['pass'] = $userRow['pass'];
$_SESSION['ID'] = $userRow['ID'];
}
}
}
?>
- The above part gets the data for the logged in user. It gets them from the database, puts them in a session, and they will later be displayed on the page in the body.
- If the form is not submitted, it does nothing.
Put this in the body:
PHP Code:
<?php
if(isset($_SESSION['user'])) {
print '<h1>Hello, <strong>'.$_SESSION['user'].'</strong></h1>';
print '<p>You are now logged in.';
print '<br>Your ID is: <strong>'.$_SESSION['ID'].'</strong>';
print '<br>Your databased password is <strong>'.$_SESSION['pass'].'</strong></p>';
print '<p><a href="'.$_SERVER['PHP_SELF'].'?logout=Log-Me-Out">Click here to logout</a>.</p>';
}
?>
<form name="login" id="login" action="login.php" method="post" />
<strong>Username: </strong>
<input type="text" name="user" id="user" value="<?=$_SESSION['user']?>" /><br />
<strong>Password: </strong>
<input type="password" name="pass" id="pass" value="<?=$_SESSION['pass']?>" /><br />
<input type="submit" name="submit" id="submit" value="Submit" />
</form>
- Basicly, This just gets the data from the session, and displays it on the page. The form will display the session varriables too.
This is the more simple/secure hybrid..
I'm not using an md5 encrypt directly, but the crypt() function works too.
![[PHP+SQL] User Database in under 5 min. [Tut]](http://ragezone.com/hyper728.png)
Originally Posted by s-p-n
