A Login System for a PHP Email Application

We know from the previous article that the user ID is very important, in that it is used to retrieve various information from the database at various stages of the application. The login form sets this userID when you log in. It is the login system that will be the focus of this second part in a four-part series.

For anyone to use the application, they have to be authenticated (be a registered user of the system) or be given an opportunity to become a member. This is what the login system primarily is for. Below is a screen shot of the login page.

The code: connecting and logging in

The login script presents a form in which the user must enter his/her username and password. It is then processed by the various code bits on the page and the appropriate action is taken. Let’s go through the various scripts involved.

Connect.php. This script is included on any page that uses the database. It contains the information that connects the application to the database:

<?php
$dbname=”mail”;
$host=”localhost”;
$dbh=mysql_connect($host) or die (‘I cannot connect to the
database because: ‘ . mysql_error());
mysql_select_db($dbname) or die(‘I cannot select the database
because: ‘ . mysql_error());
?>

At each stage of the connection attempt, the code makes provisions for errors. This is in case you try to connect to a non-existing database or to a non-existing host.

Login.php. This script presents a login form to the user. This form takes the username and password of the user. The form is presented in a table, as you can see from the code:

Form:

<form action=”login.php” method=”post”>
            <table width=”50%” border=”0″ align=”center”
cellspacing=”1″ class=”block”>
      <tr>
        <td width=”13%” colspan=”2″><img src=”http://www.devshed.com/wp-content/themes/twentyten/images/login.png”
width=”400″ height=”130″ /></td>
                        </tr>
      <tr>
       <td width=”87%” valign=”bottom” colspan=”2″><font color =
“#ff000″ size = “5”><? if(isset($error)){
                        echo $error;
                        }elseif(isset($_GET['msg'])){
                        echo “You are now registered. Please
login below.”;?>
                        </td>
      <? } ?>
        </tr>
      <tr class=”table”>
        <td>&nbsp;</td>
        <td>Login here: </td>
      </tr>
      <tr>
        <td>Username</td>
        <td><input name=”uname” type=”text” id=”uname”
value=”jacques” size=”40″ /></td>
      </tr>
      <tr>
        <td>Password</td>
        <td><input name=”pw” type=”password” id=”pw” value=”pass”
size=”40″ /></td>
      </tr>
      <tr>
        <td>&nbsp;</td>
        <td><input type=”submit” name=”submit”
value=”Login” /></td>
      </tr>
    </table>
                        </form>

In addition to taking user input, the form also displays error messages from the actual login script:

if(isset($error)){
                        echo $error;
                        }elseif(isset($_GET['msg'])){
                        echo “You are now registered. Please
login below.”;?>
}

The $error variable  is set in the actual code that processes the username and password.

{mospagebreak title=The code: form verification}

Javascript Code. This script provides the first code of authentication. It checks to see if the user has filled in all the required fields on the form. If the user has not done so, a dialog box pops up that tells the user exactly which field he or she did not fill in:

<script language=”javascript” type=”text/javascript”>
function checkform(pform1){
if(pform1.uname.value==””){
alert(“Please enter a username”)
pform1.uname.focus()
return false
}
if(pform1.pw.value==””){
alert(“Please enter a password”)
pform1.pw.focus()
return false
}
if(pform1.pw.value==”” && pform1.uname.value==””){
alert(“Please make sure that you have entered your username and
password”)
return false
}
return true
}
</script>

Although this is a good way to check whether the user has indeed filled in all the needed values, it does not always work.  This is because JavaScript can be turned off by some users, so if you rely on Javascript alone to verify user input, you will have a lot of problems later on.

PHP Form Code. This is the main code that processes the form information. It also acts as the second level of verification of form data. At first it checks to see if the form has been submitted. If it has been submitted, it checks to see if the form data that is contained within the submitted form has values. Its third step is to check whether the username and password match any that are in the database. Based on the outcome, the userID of the user will be stored in a session variable together with other data, and then the user will either be put through to the index page of the application or an error and the login page will be displayed:

<?
ob_start();
session_start();
if(isset($_POST['submit'])){
//check if required data is submitted
if(!empty($_POST['uname'] && $_POST['pw'] ){
/*

Here you can also check to see if the right kind of username and password have been submitted. For example, you can make the user submit a username that begins with “usr.username,” then use regex to find out if that pattern has been followed. Also if you are really serious about security, you should use MD5 encryption here. This is to stop SQL injection and to make your form safer.

*/
include(“connect.php”);
$query = “SELECT user_id,email,uname,upass from user WHERE uname
= ‘”.$_POST['uname'].”‘ AND upass = ‘”.$_POST['pw'].”‘”;
$result = mysql_query($query);
$num = mysql_num_rows($result);
$r=mysql_fetch_assoc($result);
if($num > 0){
$_SESSION['userid'] = $r['user_id'];
$_SESSION['user'] = $r['uname'];
header(“location:index.php?uid=”.$r['user_id'].””);
}else{
$error = “Your username and password do not match”;
}
}//form vars check
else{
$error = “Please enter all required information”;
}
}//end submit
?>

I’ve not focused on form security too much, because everyone’s security needs are  different. But I’ve made some attempt at pointing you in the right direction. Look at the comments in red.

{mospagebreak title=The code: logging out and registration}

Logout page. This page basically logs you out of the system and destroys any sessions that were created when you logged in. The application then returns the user to the login page.

Logout.php

<?
ob_start();
session_start();
session_unset();
session_destroy();
header(“location:login.php”);
?>

register.php. This code registers a new user. The fields provided in the form match those declared in the users table. See the previous article.

form

<table width=”100%” border=”0″ cellspacing=”7″>
  <tr bgcolor=”#FFFFFF”>
    <td valign=”top”>&nbsp;<img src=”http://www.devshed.com/wp-content/themes/twentyten/images/registration.png”
width=”661″ height=”130″ /></td>
  </tr>
  <tr>
    <td width=”89%” valign=”top” colspan=”2″><form
action=”register.php” method=”post” >
              <table width=”100%” border=”0″ cellspacing=”1″
class=”block”>
        <tr class=”table”>
          <td colspan=”2″>&nbsp;</td>
          </tr>
        <tr>
          <td colspan=”2″>*<strong>ALL</strong> fields are
required. </td>
        </tr>
        <tr>
          <td colspan=”2″>&nbsp;</td>
        </tr>
        <tr class=”td”>
          <td colspan=”2″><strong>User Info: </strong></td>
        </tr>
        <tr>
          <? if($err){?>
                        <td width=”87%” valign=”bottom”
colspan=”2″><? 
                        echo “The following errors where
detected:<br>”;
                        echo “<font color = “#ff000
“>$errmsg</font><br>”; ?>  </td>
      <? }?>
                 </tr>
        <tr>
          <td width=”29%”>Login name </td>
          <td width=”71%”><input name=”uname” type=”text”
id=”uname” size=”60″ /></td>
        </tr>
        <tr>
          <td>Login Password </td>
          <td><input name=”upass” type=”text” id=”upass”
size=”60″ /></td>
        </tr>
                        <tr>
          <td>Email Address </td>
          <td><input name=”email” type=”text” id=”email”
size=”60″ /></td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td>&nbsp;</td>
        </tr>
        <tr class=”td”>
          <td colspan=”2″><strong>Logon Info: </strong></td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td>&nbsp;</td>
        </tr>
        <tr>
          <td>RemoteUsername </td>
          <td><input name=”remuser” type=”text” id=”remuser”
size=”60″ /></td>
        </tr>
        <tr>
          <td>Remote Password </td>
          <td><input name=”rempass” type=”text” id=”rempass”
size=”60″ /></td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td>&nbsp;</td>
        </tr>
        <tr class=”td”>
          <td colspan=”2″><strong>Server Info: </strong> </td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td>&nbsp;</td>
        </tr>
        <tr>
          <td>Incoming Mail Server: </td>
          <td><input name=”pop3″ type=”text” id=”pop3″
size=”60″ /></td>
        </tr>
        <tr>
          <td>Outgoing Mail Server: </td>
          <td><input name=”smtp” type=”text” id=”smtp”
size=”60″ /></td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td><input type=”submit” name=”submit” value=”Register
me now!” /></td>
        </tr>
      </table>
              </form>    </td>
  </tr>
  <tr>
    <td colspan=”2″><div align=”center”>Copyright 2005 </div></td>
  </tr>
</table>

{mospagebreak title=The code: form handling and user profile}

Form Handling Script. This script basically processes the data that is sent in through the form. The first thing it does is find out whether all the needed form variables are set:

<?
if(isset($_POST['submit'])){
$err = false;
if(empty($_POST['uname'])){
$err = true;
$errmsg = “Please enter a login name<br>”;
}
if(empty($_POST['upass'])){
$err = true;
$errmsg .= “Please enter a login password<br>”;
}
if(empty($_POST['email'])){
$err = true;
$errmsg .= “Please enter a email address<br>”;
}
if(empty($_POST['remuser'])){
$err = true;
$errmsg .= “Please enter a remote username<br>”;
}
if(empty($_POST['rempass'])){
$err = true;
$errmsg .= “Please enter a remote password<br>”;
}
if(empty($_POST['pop3'])){
$err = true;
$errmsg .= “Please enter a incoming mail server name<br>”;
}
if(empty($_POST['smtp'])){
$err = true;
$errmsg .= “Please enter a outgoing mail server name<br>”;
}

If all the variables are set, it then continues to insert the form data into the database and send the user to the login page with a message variable with the value of one. This variable will be used in the login page to display a successful registration message:

if(!$err){
include “connect.php”;
            $query = “INSERT INTO user SET uname = ‘”.$_POST
['uname'].”‘, upass = ‘”.$_POST['upass'].”‘,email = ‘”.$_POST
['email'].”‘,”;
            $query .= “remuser ='”.$_POST['remuser'].”‘ ,rempass
= ‘”.$_POST['rempass'].”‘,pop3 = ‘”.$_POST['pop3'].”‘,smtp =
‘”.$_POST['smtp'].”‘”;
            if($result = mysql_query($query)){
            header(“location:login.php?msg = 1″);
            }else{
            $error = mysql_error();
            }
            }
            }
?>

User profile. This page is used to show user information and can also be used to update user information. All of the user’s information, such as the user name and password, is displayed in a form. Sensitive information such as passwords are displayed with asterisks, for security reasons:

Form

<table width=”100%” border=”0″ cellspacing=”7″>

  <tr bgcolor=”#FFFFFF”>

    <td valign=”top”>&nbsp;<img src=”http://www.devshed.com/wp-content/themes/twentyten/images/logo.png” width=”87″ height=”95″ /></td>

  </tr>

  <tr>

    <td width=”89%” valign=”top” colspan=”2″><form action=”profile.php” method=”post” >

              <table width=”100%” border=”0″ cellspacing=”1″ class=”block”>

        <tr class=”table”>

          <td colspan=”2″>&nbsp;</td>

          </tr>

        <tr>

          <td colspan=”2″>*<strong>ALL</strong> fields are required. </td>

        </tr>

        <tr>

          <td colspan=”2″>&nbsp;</td>

        </tr>

                        <tr class=”td”>

          <td colspan=”2″><strong>User Info: </strong></td>

        </tr>

        <tr>

          <? if(isset($err)){?>

                        <td width=”87%” valign=”bottom” colspan=”2″><?

                        echo “The following errors where detected:<br>”;

                        echo “<font color = “#ff000″>$errmsg</font><br>”; ?>   </td>

      <? }?>

                 </tr>

                         <? if($num_details > 0 ){

while($res = mysql_fetch_array($result_details)){?>

        <tr>

          <td width=”29%”>Login name </td>

          <td width=”71%”><input name=”uname” type=”text” id=”uname” size=”60″  value=”<?=$res['uname']?>”/></td>

        </tr>

        <tr>

          <td>Login Password </td>

          <td><input name=”upass” type=”text” id=”upass” size=”60″ value=”<?=$res['upass']?>”/></td>

        </tr>

                        <tr>

          <td>Email Address </td>

          <td><input name=”email” type=”text” id=”email” size=”60″ value=”<?=$res['email']?>”/></td>

        </tr>

        <tr>

          <td>&nbsp;</td>

          <td>&nbsp;</td>

        </tr>

        <tr class=”td”>

          <td colspan=”2″><strong>Logon Info: </strong></td>

        </tr>

        <tr>

          <td>&nbsp;</td>

          <td>&nbsp;</td>

        </tr>

        <tr>

          <td>RemoteUsername </td>

          <td><input name=”remuser” type=”text” id=”remuser” size=”60″ value=”<?=$res['remuser']?>”/></td>

        </tr>

        <tr>

          <td>Remote Password </td>

          <td><input name=”rempass” type=”text” id=”rempass” size=”60″ value=”<?=$res['rempass']?>”/></td>

        </tr>

        <tr>

          <td>&nbsp;</td>

          <td>&nbsp;</td>

        </tr>

        <tr class=”td”>

          <td colspan=”2″><strong>Server Info: </strong> </td>

        </tr>

        <tr>

          <td>&nbsp;</td>

          <td>&nbsp;</td>

        </tr>

        <tr>

          <td>Incoming Mail Server: </td>

          <td><input name=”pop3″ type=”text” id=”pop3″ size=”60″ value=”<?=$res['pop3']?>”/></td>

        </tr>

        <tr>

          <td>Outgoing Mail Server: </td>

          <td><input name=”smtp” type=”text” id=”smtp” size=”60″ value=”<?=$res['smtp']?>”/></td>

        </tr>

                        <? }

                        }?>

        <tr>

          <td>&nbsp;</td>

          <td><input type=”submit” name=”submit” value=”Update” /></td>

        </tr>

      </table>

              </form>    </td>

  </tr>

  <tr>

    <td colspan=”2″><div align=”center”>Copyright 2005 </div></td>

  </tr>

</table>

<?

session_start();

include(“connect.php”);

$query_details = “SELECT * FROM user WHERE user_id = ‘”.$_SESSION['userid'].”‘”;

$result_details = mysql_query($query_details);

$num_details = mysql_num_rows($result_details);

if(isset($_POST['submit'])){

$err = false;

if(empty($_POST['uname'])){

$err = true;

$errmsg = “Please enter a login name<br>”;

}

if(empty($_POST['upass'])){

$err = true;

$errmsg .= “Please enter a login password<br>”;

}

if(empty($_POST['email'])){

$err = true;

$errmsg .= “Please enter a email address<br>”;

}

if(empty($_POST['remuser'])){

$err = true;

$errmsg .= “Please enter a remote username<br>”;

}

if(empty($_POST['rempass'])){

$err = true;

$errmsg .= “Please enter a remote password<br>”;

}

if(empty($_POST['pop3'])){

$err = true;

$errmsg .= “Please enter a incoming mail server name<br>”;

}

if(empty($_POST['smtp'])){

$err = true;

$errmsg .= “Please enter a outgoing mail server name<br>”;

}

if(!$err){

include “connect.php”;

            $query = “UPDATE user SET uname = ‘”.$_POST['uname'].”‘, upass = ‘”.$_POST['upass'].”‘,email = ‘”.$_POST['email'].”‘,”;

            $query .= “remuser ='”.$_POST['remuser'].”‘ ,rempass = ‘”.$_POST['rempass'].”‘,pop3 = ‘”.$_POST['pop3'].”‘,smtp = ‘”.$_POST['smtp'].”‘”;

            $query .= “WHERE user_id='”.$_SESSION['userid'].”‘”;

            if($result = mysql_query($query)){

            header(“location:login.php?msg = 1″);

            }else{

            $error = mysql_error();

            }

            }

            }

?>

The user profile is then updated by a call to the update method of the database.

Conclusion

In the next article we will discuss what happens after the user has been put through to the index page of the application and also look at how to download new messages from a mail server.

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye