In this example we are going to show you how to add an authentication system to your website. Authentication is an integral part of any web app that works with a login and registration system. Web apps like facebook.com, twitter.com and amazon.com use authentication to secure there users.<\/p>\n
Authentication is the process of determining whether someone or something is, in fact, who or what is declared to be. When you login into your facebook account, facebook has to be sure it is really you trying to login to your account and not an impostor. The process by which facebook guarantees that you really own the account (and not your evil twin), is authentication. Authentication has to be done correctly.
\n
\n[ulp id=’8njY7i2QRy6sg8pg’]
\n
\nIn this example we will develop a simple login and registration web app that shows the process of\u00a0authentication in php.
\nFor this example we will use:<\/p>\n
If you are developing on your local machine, you can download and install wamp. Wamp installs both php, phpmyadmin and mysql on your local machine. Furthermore, wamp doesn’t require any specific prior knowledge to get it working.<\/p>\n
This tutorial assumes you have php and mysql running. You should also create a database named authentication.<\/p>\n
db.php<\/em><\/span><\/p>\n This script creates a connection to the database. We are using PDO (Php data objects) to access our database. The connection is stored in the init.php<\/em><\/span><\/p>\n Before you register\/login with the index.php script, you should load this script(init.php) into your browser (just once). The script creates a table that is called “Myuser” in the database. In line two we include the “db.php” script to login to the database. In line 5 we create a table in our database by calling the Here comes the interesting part. Let’s take a look at our login and register form.<\/p>\n index.php<\/em><\/span><\/p>\n This page contains the login and registration form. After a user fills the login or registration form and submit it, our php script “submit.php” is called.\u00a0We created a class called Database in the database.php script. This class contains the methods that perform authentication.<\/p>\n database.php<\/em><\/span><\/p>\n The class database contains four important functions.<\/p>\n submit.php<\/em><\/span><\/p>\n In line three we instatiate the database class. In line four we check if the user is trying to login. In line eight we check if the user exists and if the user does not exist or authentication fails we redirect him to an error page. If the authentication succeeds we redirect the user to the welcome page.<\/p>\n In line 20 we check if the user is trying to register. If the user is trying to register, in line 25 we call the In this example we learnt about authentication in php, what it means and how to do it correct. We have also learnt the common pitfalls when implementing authentication and how to\u00a0avoid them.<\/p>\n \r\n<?php\r\n$dsn = \"mysql:dbname=authentication\"; \r\n$username = \"root\"; \r\n$password = \"\"; \r\ntry{\r\n$conn = new PDO( $dsn, $username, $password ); \r\n$conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);\r\n}\r\ncatch(PDOException $pd){\r\necho $pd->getMessage();\r\n}\r\n?>\r\n\r\n<\/pre>\n$conn<\/code> object and it is made available to manipulate the database.
\nWe create a new PDO object in line 6 and surround it with a try\/catch statement, so as to catch any error that might occur while trying to connect to the database.<\/p>\n \r\n\r\n<?php\r\nrequire_once(\"db.php\");\r\ntry{\r\n$sql=\"create Table Myuser(id smallint unsigned not null AUTO_INCREMENT PRIMARY KEY, name VARCHAR(265) NOT NULL,email VARCHAR(265) NULL,password VARCHAR(265) NOT NULL)\";\r\n$conn->exec($sql);\r\necho \"TABLE CREATED\";\r\n}\r\ncatch(PDOException $pd){\r\necho \"Error Creating Table: \" . $pd->getMessage();\r\n}\r\n$conn=null;\/\/close the database connection\r\n?>\r\n\r\n<\/pre>\n$conn->exec($sql)<\/code> method, which takes a string as a parameter (the string holds the sql query).<\/p>\n1.2 Authenticating users<\/h2>\n
\r\n<!DOCTYPE html> \r\n<html lang=en>\r\n\t<head>\r\n\t<style>\r\n\thtml, body{\r\n\twidth:100%;\r\n\theight:100%;\r\n\tmargin:0%;\r\n\tfont-family:\"helvetica\",\"verdana\",\"calibri\", \"san serif\";\r\n\toverflow:hidden;\r\n\tpadding:0%;\r\n\tborder:0%;\r\n\t}\r\n\t.a{\r\n\twidth:20%;\r\n\tmargin:10px;\r\n\theight:40px;\r\n\t}\r\n\t.a1{\r\n\tdisplay:inline;\r\n\twidth:20%;\r\n\theight:30px;\r\n\t\r\n\t}\r\n\t#sub{\r\n\tdisplay:inline;\r\n\t\r\n\t\r\n\t}\r\n\r\n\t<\/style>\r\n\t \t\t<meta charset=\"utf-8\" \/>\r\n\t\t<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, target-densitydpi=device-dpi\"\/>\r\n\t\r\n\t<title><\/title>\r\n\t\r\n\t<\/head>\r\n\t<body>\r\n\r\n\t<h1>Login And Registration Form<\/h1>\r\n\t<div id=cen align=right>\r\n\t\r\n\t<form action=\"submit.php\" method=post>\r\n\t\r\n<input type=text class=a placeholder=name name=name required><br>\r\n\r\n<input type=email class=a placeholder=email name=email required><br>\r\n\r\n<input type=password class=a placeholder=Password name=password required><br>\r\n<input type=submit class=a value=Regster name=register>\r\n\r\n<\/form>\r\n<div align=right>\r\n\\\r\n\t \t<form action=\"submit.php\" method=post>\r\n <input type=email class=a placeholder=email required name=email><br>\r\n<input type=password class=a placeholder=password required name=password><br>\r\n<input type=submit class=a value=Login id=sub name=login>\r\n<\/form>\r\n\t\r\n\t<\/div>\r\n<\/div>\r\n\t<\/body>\r\n\t<\/html>\r\n\r\n<\/pre>\n<?php\r\nrequire_once(\"db.php\");\r\n\r\nclass Database{\r\n\r\npublic function closeDataBase(){\r\n$conn=null;\r\n\r\n}\r\n\/* this checks if the user exists\r\n@param email is users email\r\n@param $conn is the connection object\r\n*\/\r\npublic function checkUserExist($email,$conn){\r\n$sql=\"select count(*) from Myuser where email=:email\";\r\n$st=$conn->prepare($sql);\r\n$st->bindValue(':email',$email);\r\n$st->execute();\r\n$num=$st->fetchColumn();\r\n$st=null;\r\nif($num>0)\r\nreturn true;\r\nelse \r\nreturn false;\r\n}\r\n\/*\r\nThis method authenticates the user\r\n@param email is users email\r\n@param password is the submitted password\r\n@param $conn is the connection object\r\n*\/\r\npublic function authen($email,$password,$conn){\r\n$sql=\"select password from Myuser where email=:email\";\r\n$st=$conn->prepare($sql);\r\n$st->bindValue(\":email\",$email);\r\n$res=$st->execute();\r\n$row=$st->fetchAll();\r\nif(password_verify($password,$row[0]['password']))\r\nreturn true;\r\nelse\r\nreturn false;\r\n}\r\n\r\npublic function register($email,$password,$name,$conn){\r\n$hash=password_hash($password,PASSWORD_DEFAULT);\/\/we hash our password\r\n$sql=\"INSERT INTO Myuser ( email, password,name ) VALUES ( :email, :password ,:name)\"; \r\n$st=$conn->prepare($sql);\r\n$st->bindValue(\":email\",$email);\r\n$st->bindValue(\":password\",$hash);\r\n$st->bindValue(\":name\",$name);\r\n$st->execute();\r\n$st=null;\r\n}\r\n} \r\n?>\r\n\r\n<\/pre>\n\n
closeDataBase(): <\/code> As the name implies it closes the database. It is wise\u00a0to close a database connection after you are through with it. To close a database using PDO you need to destroy the PDO object by ensuring that all remaining\u00a0references to it are deleted\u2014You do this by assigning NULL to the variable that holds the PDO object. If you don’t do this explicitly, PHP will automatically close the connection when your script ends. We close out database by setting the PDO object to null. $conn=null<\/code> .
\nNote<\/b>: Many web applications will benefit from persistent connection to the database. Persistent connections will not be closed at the end of the script, but are going to be cached and re-used when another script requests a connection using the same credentials. Persistent connections are useful as it help prevent the overhead of establishing a new connection to the database everytime a script needs to talk to the database.<\/li>\ncheckUserExist($email,$conn)<\/code> : As the name implies this method checks if a particular user exists. It checks if the email supplied as a parameter exists in the database. If it exists then this user is already registered otherwise\u00a0the user is not registered.<\/li>\nregister($email,$password,$name,$conn)<\/code> : This code registers a new user. It saves the users email, password and name in the database.
\nNote:<\/b> Never Never Never! save a users password as text in the database, it is wrong. If your database gets compromised, the attacker will get easy access to your users password(The attacker then will gain access to the users account causing varying degrees of damage). Saving a user password as text, makes your web app vulnerable and defeats the need for authentication.
\nAlso never use sha1 and md5 to hash your users password. As computing power has increased the feasibility of breaking the SHA1 and md5 hash has been increased. You should use bcrypt for hashing your password. To use bcrypt for password hashing, in line 45 we call the password_hash()<\/code> which takes the password to hash as the first parameter and an hashing algorithm as the second parameter. The algorithm we can use are PASSWORD_DEFAULT<\/code> and \u00a0PASSWORD_BCRYPT <\/code> . If you are going to use the PASSWORD_DEFAULT<\/code> as your hashing algorithm it is recommended to store the result in a database column that can expand beyond 60 characters\u00a0(255 characters would be a good choice).<\/li>\n authen() <\/code> This authenticates the user when they try to login. The password_verify()<\/code> function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password.<\/li>\n<\/ul>\n<?php\r\nrequire_once(\"database.php\");\r\n$db=new Database();\r\nif(isset($_POST[\"login\"])){\r\n$password=$_POST[\"password\"];\r\n$email=$_POST[\"email\"];\r\nif(!empty($email) && !empty($password)){\r\nif($db->checkUserExist($email,$conn)){\/\/if this user exists\r\nif($db->authen($email,$password,$conn))\r\nheader(\"Location:success.html\");\r\nELSE\r\nheader(\"Location:error.html\");\r\n}\r\nelse \r\nheader(\"Location:error.html\");\r\n\r\n}\r\n$db->closeDataBase();\r\n}\r\nelse if(isset($_POST[\"register\"])){\r\n$email=$_POST['email'];\r\n$name=$_POST['name'];\r\n$password=$_POST['password'];\r\nif(!empty($email) && !empty($password) && !empty($name)){\r\n$db->register($email,$password,$name,$conn);\r\nheader(\"Location:success.html\");\r\n\r\n}\r\n$db->closeDataBase();\r\n}\r\n\r\n\r\n?>\r\n\r\n<\/pre>\n $db->register();<\/code> method to register the user and redirect him to the welcome page<\/p>\n2. Summary<\/h2>\n
3. Download the source code<\/h2>\n