Using PHP Encryption for Login Authentication

Following up on "Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.

We start with the login script.

The Login Script

The login script ensures that unauthorized users don't access other people's diary contents. Every user who wants to use a diary needs to have it registered. The login code below shows both file- and database-based methods for authenticating a user.

<?php session_start(); include "global.php"; if(isset($_POST['submit'])){ //get stored password from database $sql= "SELECT id,name FROM users WHERE pass='".MD5($_POST['pw'])."'"; $res = mysql_query($sql); if($res){ $row= mysql_fetch_assoc($res); $name= $row['name']; $_SESSION['name'] =$name ; $_SESSION['id'] =$row['id'] ; header("location:editor.php"); }else{ echo "Your details did not match"; exit; } } /**IF your password is stored in a txtfile if(isset($_POST['submit'])){ //get pass from file if(file_exists('passfile.txt')){ //open up the file if($file_pointer = fopen('passfile.txt','r')){ $pass=fread($file_pointer,15); //echo $pass; fclose($file_pointer); //compare the hashed password against the pass from the form if(md5($_POST['pw'])==$pass){ header("location:editor.php"); } }else{ echo "An error occurred while reading the file"; } }else{ echo "Could not carry out the file operation because file does not exists."; }//fileexists */ ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "https://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> <!-- .style1 { font-size: 36px; font-weight: bold; } --> </style> </head> <body> <form action="login.php" method="post"> <table width="100%" border="1"> <tr> <td colspan="2"><span class="style1">My Diary Login </span></td> </tr> <tr> <td width="14%"> </td> <td width="86%"> </td> </tr> <tr> <td>Login:</td> <td><input type="password" name="pw"></td> </tr> <tr> <td> </td> <td><input type="submit" name="submit" value="submit"></td> </tr> </table> </form> </body> </html>

Whether you use the file-based or database-based method is entirely up to you. Either way, the page should look like Figure 1.

Figure 1. Login Page for Online Diary Application

To start with, the PHP portion of the code processes the data that is sent from the login form. It then uses one of the two authentication methods.

Database-based Authentication

Because we will store some data into session variables, we first start a session for the user. Then we include the global.php file that contains the database-connection details:

<?php session_start(); include "global.php";

Now we start authenticating the user. We start off by checking if the form has been submitted:

if(isset($_POST['submit'])){

Then we build a SQL statement to retrieve the stored password from the database:

//get stored password from database $sql= "SELECT id,name FROM users WHERE pass='".MD5($_POST['pw'])."'";

We run the SQL statement using the mysql_query() function:

$res = mysql_query($sql);

Next, we test to see if any results have been returned:

if($res){

If results have been returned, we fetch the record using MySQL's mysql_fetch_assoc() function:

$row= mysql_fetch_assoc($res);

We store the name and ID of the user in session variables:

$name= $row['name']; $_SESSION['name'] =$name ; $_SESSION['id'] =$row['id'] ;

Then we redirect the user to the text editor page:

header("location:editor.php");

If the $res variable does not contain any results, then the user who is trying to log in either does not exist or has mistyped their login details. In either case, the details will not match, so we show an error message:

}else{ echo "Your details did not match"; exit; } }

File-based Authentication

The second method of authentication is when you store your details in a file. The logic for retrieving the password is the same as that for doing it with the database server. First we check if the file that we want to open exists:

/**IF your password is stored in a txtfile if(isset($_POST['submit'])){ //get pass from file if(file_exists('passfile.txt')){

Then we open the file to read the contents. To do this, we need to specify the file name and opening mode:

//open up the file if($file_pointer = fopen('passfile.txt','r')){

Then we read the file using the fread() function and store the results in the $pass variable:

$pass=fread($file_pointer,15); //echo $pass;

Then we close the file, because we got what we wanted from it:

fclose($file_pointer);

The password that is stored in the file is now stored in the $pass variable. The password is already hashed, so it is actually a 32-character string as opposed to a plain text string. So we have to compare the user-submitted password with the password that is retrieved from the file. The following line of code does exactly that.

//compare the hashed password against the pass from the form if(md5($_POST['pw'])==$pass){ header("location:editor.php");

If the passwords match, we send the user over to the editor script. If they do not, then we show the following message:

}else{ echo "your details did not match"; }

If an error occurs while trying to read the file, we show this error message:

}else{ echo "An error occurred while reading the file"; } }else{

Similarly, if we cannot find the file that we want to open, we write a similar error message:

echo "Could not carry out the file operation because file does not exists."; }//fileexists */ ?>

HTML Portion of Login Page

The HTML portion of the login page is very easy to understand. First, the HTML headers are set and some styles are defined:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "https://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> <!-- .style1 { font-size: 36px; font-weight: bold; } --> </style> </head> <body>

Then the form tag is created:

<form action="login.php" method="post">

Then the table is created, the table headers are set, and all the other formatting is done:

<table width="100%" border="1"> <tr> <td colspan="2"><span class="style1">My Diary Login </span></td> </tr> <tr> <td width="14%"> </td> <td width="86%"> </td> </tr>

The form then presents the user with a textfield element that will take the password:

<tr> <td>Login:</td> <td><input type="password" name="pw"></td> </tr>

Finally the form button is defined:

<tr> <td> </td> <td><input type="submit" name="submit" value="submit"></td> </tr> </table> </form> </body> </html>

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both