Saturday, May 28, 2016

A Simple But Secure PHP Login Script For Newbs

Recently I posted about a Login Script in PHP, but some of our readers emailed me and complained about the Implementation Complexity of the script.Though I still consider that script very secure and one of the best, but still to make the unsatisfied lot a little happy, I am going to share a very very simple and yet very secure PHP Login script with you guys.Hope this script will be easy to understand and implement.

Besides, this script is quite secure, protecting your login form against SQL Injection and XSS attacks.You will also need MySQL database to implement this login script.


First Create a table as shown below:

CREATE TABLE IF NOT EXISTS `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
`password` char(64) COLLATE utf8_unicode_ci NOT NULL,
`salt` char(16) COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

Now create a file common.php which will contain code that is shared between the different parts of your login system.

<?php

// These variables define the connection information for your MySQL database
$username = "dbusername";
$password = "dbpassword";
$host = "localhost";
$dbname = "dbname";

// UTF-8 is a character encoding scheme that allows you to conveniently store
// a wide varienty of special characters, like ¢ or €, in your database.
// By passing the following $options array to the database connection code we
// are telling the MySQL server that we want to communicate with it using UTF-8
// See Wikipedia for more information on UTF-8:
// http://en.wikipedia.org/wiki/UTF-8
$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => SET NAMES utf8);

// A try/catch statement is a common method of error handling in object oriented code.
// First, PHP executes the code within the try block. If, at any time, it encounters an
// error while executing that code, it stops immediately and jumps down to the
// catch block. For more detailed information on exceptions and try/catch blocks:
// http://us2.php.net/manual/en/language.exceptions.php
try
{
// This statement opens a connect to your database using the PDO library
// PDO is designed to provide a flexible interface between PHP and many
// different types of database servers. For more information on PDO:
// http://us2.php.net/manual/en/class.pdo.php
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
}
catch(PDOException $ex)
{
// If an error occurs while opening a connection to your database, it will
// be trapped here. The script will output an error and stop executing.
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to connect to the database: " . $ex->getMessage());
}

// This statement configures PDO to throw an exception when it encounters
// an error. This allows us to use try/catch blocks to trap database errors.
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// This statement PDO to return database rows from your database using an associative
// array. This means the array will have string indexes, where the string value
// represents the name of the column in your database.
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);

// This block of code is used to undo magic quotes. Magic quotes are a terrible
// feature that was removed from PHP as of PHP 5.4. However, older installations
// of PHP may still have magic quotes enabled and this code is necessary to
// prevent them from causing problems. For more information on magic quotes:
// http://php.net/manual/en/security.magicquotes.php
if(function_exists(get_magic_quotes_gpc) && get_magic_quotes_gpc())
{
function undo_magic_quotes_gpc(&$array)
{
foreach($array as &$value)
{
if(is_array($value))
{
undo_magic_quotes_gpc($value);
}
else
{
$value = stripslashes($value);
}
}
}

undo_magic_quotes_gpc($_POST);
undo_magic_quotes_gpc($_GET);
undo_magic_quotes_gpc($_COOKIE);
}

// This tells the web browser that your content is encoded using UTF-8
// and that it should submit content back to you using UTF-8
header(Content-Type: text/html; charset=utf-8);

// This initializes a session. Sessions are used to store information about
// a visitor from one request to the next. Unlike a cookie, the information is
// stored on the server-side and cannot be modified by the visitor. However,
// note that in most cases sessions do still use cookies and require the visitor
// to have cookies enabled. For more information about sessions:
// http://us.php.net/manual/en/book.session.php
session_start();

Now create another file register.php which will allow you to create a user account. 

<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty username
if(empty($_POST[username]))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
die("Please enter a username.");
}

// Ensure that the user has entered a non-empty password
if(empty($_POST[password]))
{
die("Please enter a password.");
}

// We will use this SQL query to see whether the username entered by the
// user is already in use. :username is a special token. We will define
// its value later.
$query = "
SELECT
id
FROM users
WHERE
username = :username
";

// This contains the definitions for any special tokens that we place in
// our SQL query. In this case, we are defining a value for the token
// :username. It is possible to insert $_POST[username] directly into
// your $query string; however doing so is very insecure and opens your
// code up to SQL injection exploits. Using tokens prevents this.
// For more information on SQL injections, see Wikipedia:
// http://en.wikipedia.org/wiki/SQL_Injection
$query_params = array(
:username => $_POST[username]
);

try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}

// The fetch() method returns an array representing the "next" row from
// the selected results, or false if there are no more rows to fetch.
$row = $stmt->fetch();

// If a row was returned, then we know a matching username was found in
// the database already and we should not allow the user to continue.
if($row)
{
die("This username is already in use");
}

// This query is used to create a new user record in the database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
username,
password,
salt
) VALUES (
:username,
:password,
:salt
)
";

// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));

// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash(sha256, $_POST[password] . $salt);

// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form).
$query_params = array(
:username => $_POST[username],
:password => $password,
:salt => $salt
);

try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}

// This redirects the user back to the login page after they register
header("Location: login.php");

// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to login.php");
}

?>
<h1>Register</h1>
<form action="register.php" method="post">
Username:<br />
<input type="text" name="username" value="" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" />
<br /><br />
<input type="submit" value="Register" />
</form>

Create a login.php which allows user to authenticate. 

<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// This variable will be used to re-display the users username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = ;

// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
if(!empty($_POST))
{
// This query retreives the users information from the database using
// their username.
$query = "
SELECT
id,
username,
password,
salt
FROM users
WHERE
username = :username
";

$query_params = array(
:username => $_POST[username]
);

try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}

// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;

$row = $stmt->fetch();
if($row)
{
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash(sha256, $_POST[password] . $row[salt]);
if($check_password === $row[password])
{
// If they do, then we flip this to true
$login_ok = true;
}
}

// If the user logged in successfully, then we send them to the members page
// Otherwise, we display a login failed message and show the login form again
if($login_ok)
{
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row[salt]);
unset($row[password]);

// This stores the users data into the session at the index user.
// We will check this index on the members page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the users details.
$_SESSION[user] = $row;

// Redirect the user to the members page.
header("Location: members.php");
die("Redirecting to: members.php");
}
else
{
// Tell the user they failed
print("Login Failed.");

// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST[username], ENT_QUOTES, UTF-8);
}
}

?>
<h1>Login</h1>
<form action="login.php" method="post">
Username:<br />
<input type="text" name="username" value="<?php echo $submitted_username; ?>" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" />
<br /><br />
<input type="submit" value="Login" />
</form>
<a href="register.php">Register</a>

Now create another file members.php which you may protect with your login system. 

<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION[user]))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");

// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}

// Everything below this point in the file is secured by the login system

// We can display the users username to them by reading it from the session array. Remember that because
// a username is user submitted content we must use htmlentities on it before displaying it to the user. The
// fact that we retrieved it from a database and not directly from the user does not matter.
?>
Hello <?php echo htmlentities($_SESSION[user][username], ENT_QUOTES, UTF-8); ?>, secret content!<br />
<a href="logout.php">Logout</a>

Now create a logout script logout.php which will enable your user to logout safely.
<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// We remove their data from the session
unset($_SESSION[user]);

// We redirect them to the login page
header("Location: login.php");
die("Redirecting to: login.php");

?>

Thats all!


I think that the PHP Script is simple enough to be understood and is self explanatory.And its tried and tested as well, so you can straightaway implement this script on your website.If you have any suggestions regarding this script then feel free to comment below.

Besides, if you like our blog and want to receive updates directly in your email, then you can subscribe below and dont forget to activate your subscription.Enjoy!

Cheers!