In our previous tutorial we discuss on how to create a secure registration page using three different approaches. They are:
mysql:
How to Create Secure Registration Page in PHP/MySQL Part I
mysqli:
How to Create Secure Registration Page in PHP/MySQL Part II
PDO:
How to Create Secure Registration Page in PHP/MySQL Part III
This time we will create a secure login script based on our previous tutorial. So be sure to read it especially on how to create our database.
I will combine two approaches here begining with mysql extension.
mysql extension
Now let's create the login form.
login.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<form id="form1" name="form1" method="post" action="login.php"> <table width="510" border="0" align="center"> <td colspan="2">Login Form
</td> <td><input type="text" name="username" id="username" /></td> <td><input type="password" name="password" id="password" /></td> <td><input type="submit" name="button" id="button" value="Submit" /></td>
login.php
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT password, salt
FROM member
WHERE username = '$username';";
if(mysql_num_rows($result) == 0) // User not found. So, redirect to login_form again. {
header('Location: login.html'); }
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Location: login.html'); }else{ // Redirect to home page after successful login.
header('Location: home.html'); }
?>
Note, that we are still using the mysql_real_escape_string to secure our login page. Plus using password hashing with salt.
mysqli extension
login.html
Modify the above code from:
<form id="form1" name="form1" method="post" action="login.php">
to
<form id="form1" name="form1" method="post" action="login2a.php">
login2a.php
Procedural style
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT password, salt
FROM member
WHERE username = '$username';";
if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again. {
header('Location: login.html'); }
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Location: login.html'); }else{ // Redirect to home page after successful login.
header('Location: home.html'); }
?>
As you can see, we just changed some few line based on our previous script called login.php. This is because we are using procedural style of mysqli extension.
Code equivalent:
mysql_connect() = mysqli_connect()
mysql_query() = mysqli_query()
login2b.php
Object Oriented style
Again, change the action properties under form tag in login.html script from login2a.php to login2b.php
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$mysqli = new mysqli('localhost', 'root', '', 'login');
$username = $mysqli->real_escape_string($username);
$query = "SELECT password, salt
FROM member
WHERE username = '$username';";
$result = $mysqli->query($query);
if($result->num_rows == 0) // User not found. So, redirect to login_form again.
{
header('Location: login.html'); }
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Location: login.html'); }else{ // Redirect to home page after successful login.
header('Location: home.html'); }
?>
On procedural style we use the following code and its equivalent in object oriented style:
mysqli_connect() = new mysqli()
mysqli_query() = $mysqli->query()
In our next tutorial, we will create a new article to differentiate PDO from the above code. PDO is a bit different so we will not cover it here.
