We will need two files: "protect.php" and "login.php". The protect file is not meant to be viewed by itself. In order to protect a page, you need to include that file by using PHP code like the following:
CODE
include("protect.php");
Keep in mind that this needs to be in between your <?php and ?> tags.This bit of code uses the include function. It is a handy function that reads all the information contained in one file and temporarily adds it to another. For example, this can be used to create an easily modifiable template. You don’t really need to know exactly how it works to use it, though.
The login page is where users will enter their username and password in order to log in to your website. We’ll start by working on the login.php file.
CODE
<form action=login.php method=post>
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
That is a bit of HTML that will create a login form, with two fields: username and password. When your users click the submit button, the page will reload (because we specified login.php as the action for the form – the action is the place the information contained will be sent to). When the page reloads, however, we want to see the post data – the information the user has sent, so that we can check if it is valid. To do that, we can use a bit of PHP code at the beginning of the page like the following:
CODE
<?php
if(isset($_POST["username"])&&isset($_POST["password"])) {
echo "Thank you for trying to login.";
}
?>
if(isset($_POST["username"])&&isset($_POST["password"])) {
echo "Thank you for trying to login.";
}
?>
If you put that code at the top of your login.php page, you’ll notice that when you press submit it will show the text. The "if" statement that I used may look new to you. The isset function checks if the given variable exists. The $_POST array indexes all the information that has been posted to the page. So when we use $_POST["username"], we are getting the posted value of the input indexed as "username" (as determined by the name parameter of our "input" fields that I showed you earlier). When combined with isset, we can check whether the user has posted a value to the page.
Now, we need to check if the user has entered correct information. To do so, we can use PHP code like the following (in place of the echo command in the above code).
CODE
$user = $_POST["username"];
$pass = $_POST["password"];
$validated = false;
//Begin validation code
if($user=="User1"&&$pass=="password1") $validated = true;
if($user=="User2"&&$pass=="password2") $validated = true;
//End validation code
//Begin login code
if($validated)
echo "Logged in as $user.";
else
echo "Invalid username/password combination.";
//End login code
$pass = $_POST["password"];
$validated = false;
//Begin validation code
if($user=="User1"&&$pass=="password1") $validated = true;
if($user=="User2"&&$pass=="password2") $validated = true;
//End validation code
//Begin login code
if($validated)
echo "Logged in as $user.";
else
echo "Invalid username/password combination.";
//End login code
This is a rather simple way to check. If we have more users, we could use something like the following in place of the validation code above:
CODE
$passwords = array("User1"=>"password1", "User2"=>"password2");
if(isset($passwords[$user])) if($passwords[$user]==$pass) $validated = true;
if(isset($passwords[$user])) if($passwords[$user]==$pass) $validated = true;
That code puts the passwords into an associative array, then checks to see if the password for the user is correct. Which method you choose does not matter.
Now, of course, we need to actually do something when we log in. To do this, we will use cookies. Cookies are pieces of data that websites can store on users’ computers. We will need to store login information. Each website has its own cookie, so we don’t need to worry about having the same names as other websites.
To set a cookie, we use the setcookie function. One important note about the setcookie function: you must use it before any statements that print data, e.g. echo.
CODE
//Begin login code
if($validated) {
setcookie("username", $user); //Sets a cookie storing the username
setcookie("password", MD5($pass)); //Sets a cookie storing the encrypted value of the password
echo "Logged in as $user.";
} else {
echo "Invalid username/password combination.";
}
//End login code
if($validated) {
setcookie("username", $user); //Sets a cookie storing the username
setcookie("password", MD5($pass)); //Sets a cookie storing the encrypted value of the password
echo "Logged in as $user.";
} else {
echo "Invalid username/password combination.";
}
//End login code
Now, one thing you may be confused about is the MD5 function. The MD5 function encrypts data. This is a simple security measure, and is by no means foolproof, but it helps protect you. I’ll show you later how to use the MD5 function to check if the password is correct.
We’re done with the login.php page. It should now correctly log you in. Here is the full code:
CODE
<?php
if(isset($_POST["username"])&&isset($_POST["password"])) {
$user = $_POST["username"];
$pass = $_POST["password"];
$validated = false;
//Begin validation code
if($user=="User1"&&$pass=="password1") $validated = true;
if($user=="User2"&&$pass=="password2") $validated = true;
//End validation code
//Begin login code
if($validated) {
setcookie("username", $user); //Sets a cookie storing the username
setcookie("password", MD5($pass)); //Sets a cookie storing the encrypted value of the password
echo "Logged in as $user.";
} else {
echo "Invalid username/password combination.";
}
//End login code
}
?>
<form action=login.php method=post>
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
if(isset($_POST["username"])&&isset($_POST["password"])) {
$user = $_POST["username"];
$pass = $_POST["password"];
$validated = false;
//Begin validation code
if($user=="User1"&&$pass=="password1") $validated = true;
if($user=="User2"&&$pass=="password2") $validated = true;
//End validation code
//Begin login code
if($validated) {
setcookie("username", $user); //Sets a cookie storing the username
setcookie("password", MD5($pass)); //Sets a cookie storing the encrypted value of the password
echo "Logged in as $user.";
} else {
echo "Invalid username/password combination.";
}
//End login code
}
?>
<form action=login.php method=post>
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
Now, we need to edit the protect.php page.
We’ll use a similar method for the login.php page to check if the user is logged in correctly.
CODE
<?php
$validated = false;
//Use $_COOKIE to get the cookie data – same usage as $_POST
if(isset($_COOKIE["username"])&&isset($_COOKIE["password"])) {
$user = $_COOKIE["username"];
$pass = $_COOKIE["password"];
//Begin validation code
if($user=="User1"&&$pass==MD5("password1")) $validated = true;
if($user=="User2"&&$pass==MD5("password2")) $validated = true;
//End validation code
}
if($validated) {
//Ok; don’t need to do anything
} else {
//Make user go to login page
header("Location: login.php");
exit;
}
?>
$validated = false;
//Use $_COOKIE to get the cookie data – same usage as $_POST
if(isset($_COOKIE["username"])&&isset($_COOKIE["password"])) {
$user = $_COOKIE["username"];
$pass = $_COOKIE["password"];
//Begin validation code
if($user=="User1"&&$pass==MD5("password1")) $validated = true;
if($user=="User2"&&$pass==MD5("password2")) $validated = true;
//End validation code
}
if($validated) {
//Ok; don’t need to do anything
} else {
//Make user go to login page
header("Location: login.php");
exit;
}
?>
The above code should look very familiar to you. It is basically the same as the login script, except for a few key differeneces:
First, $validated has moved outside of the block of code. This is because as opposed to only doing something when they post, we need to protect our page all the time.
Second, we use $_COOKIE instead of $_POST. This is because we want to get the cookie data. Nothing has been posted to the page, so $_POST is useless.
Third, we use MD5 to encrypt our set password before comparing it to the stored password. This is because the stored password is already encrypted and by encrypting the other before comparing we make sure the comparison is fair. We can't decrypt the stored password because MD5 is one-way encryption. But don't worry about encryption – just make sure when you are comparing two values either both or neither of them should be encrypted for it to work properly.
Fourth, the actions have changed. We no longer do anything when we have been validated, but if we haven’t been validated, we use the header function. This is a complex function. All you need to know for now is that header("Location: page"); redirects the user to the given page. We want our users to be redirected to the login page if they are not allowed to access the page. Then, we need to exit the script because we are done with the page.
Great! Now we have a working user validation script. Remember to include protect.php whenever you want to protect a page. This is only a simple script, though. There are many ways to improve it, such as:
-use a MySQL database for users
-automatically redirect back to the page the user came from when they log in
-have an access level specifier that allows certain users access to certain pages
-allow easy creation of users
If you have any questions or comments, or if you notice a problem with my tutorial or code, please reply. Feel free to ask me for details if you want to extend your code using one of my suggestions.
.
