How to Create Secure Login Page in PHP/MySQL Part I

In our previous tutorial we discuss on how to create a secure registration page using three different approaches. They are:

mysql: How to Create Secure Registration Page in PHP/MySQL Part I
mysqli: How to Create Secure Registration Page in PHP/MySQL Part II
PDO: How to Create Secure Registration Page in PHP/MySQL Part III

This time we will create a secure login script based on our previous tutorial. So be sure to read it especially on how to create our database.

I will combine two approaches here begining with mysql extension.

mysql extension

Now let's create the login form.

login.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />


<title>Login Form</title>


</head>





<body>


<form id="form1" name="form1" method="post" action="login.php">


<table width="510" border="0" align="center">


<tr>


<td colspan="2">Login Form</td>


</tr>


<tr>


<td>Username:</td>


<td><input type="text" name="username" id="username" /></td>


</tr>


<tr>


<td>Password</td>


<td><input type="password" name="password" id="password" /></td>


</tr>


<tr>


<td>&nbsp;</td>


<td><input type="submit" name="button" id="button" value="Submit" /></td>


</tr>


</table>


</form>


</body>


</html>

login.php

<?php


$username = $_POST['username'];


$password = $_POST['password'];





$conn = mysql_connect('localhost', 'root', '');


mysql_select_db('login', $conn);





$username = mysql_real_escape_string($username);


$query = "SELECT password, salt


        FROM member


        WHERE username = '$username';";





$result = mysql_query($query);





if(mysql_num_rows($result) == 0) // User not found. So, redirect to login_form again.


{


header('Location: login.html');


}





$userData = mysql_fetch_array($result, MYSQL_ASSOC);


$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );





if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.


{


header('Location: login.html');


}else{ // Redirect to home page after successful login.


header('Location: home.html');


}


?>

Note, that we are still using the mysql_real_escape_string to secure our login page. Plus using password hashing with salt.

mysqli extension

login.html

Modify the above code from:

<form id="form1" name="form1" method="post" action="login.php">

to

<form id="form1" name="form1" method="post" action="login2a.php">

login2a.php
Procedural style

<?php


$username = $_POST['username'];


$password = $_POST['password'];





$conn = mysqli_connect('localhost', 'root', '', 'login');





$username = mysqli_real_escape_string($conn, $username);


$query = "SELECT password, salt


        FROM member


        WHERE username = '$username';";





$result = mysqli_query($conn, $query);





if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.


{


header('Location: login.html');


}





$userData = mysqli_fetch_array($result, MYSQL_ASSOC);


$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );





if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.


{


header('Location: login.html');


}else{ // Redirect to home page after successful login.


header('Location: home.html');


}


?>

As you can see, we just changed some few line based on our previous script called login.php. This is because we are using procedural style of mysqli extension.

Code equivalent:
mysql_connect() = mysqli_connect()
mysql_query() = mysqli_query()

login2b.php
Object Oriented style
Again, change the action properties under form tag in login.html script from login2a.php to login2b.php

<?php


$username = $_POST['username'];


$password = $_POST['password'];





$mysqli = new mysqli('localhost', 'root', '', 'login');





$username = $mysqli->real_escape_string($username);





$query = "SELECT password, salt


        FROM member


        WHERE username = '$username';";





$result = $mysqli->query($query);





if($result->num_rows == 0) // User not found. So, redirect to login_form again.


{


header('Location: login.html');


}





$userData = mysqli_fetch_array($result, MYSQL_ASSOC);


$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );





if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.


{


header('Location: login.html');


}else{ // Redirect to home page after successful login.


header('Location: home.html');


}


?>

On procedural style we use the following code and its equivalent in object oriented style:

mysqli_connect() = new mysqli()
mysqli_query() = $mysqli->query()

In our next tutorial, we will create a new article to differentiate PDO from the above code. PDO is a bit different so we will not cover it here.

Share this

Share on FacebookPlus on Google+