HomePHP Page 2 - A Login System for a PHP Email Application
The code: form verification - PHP
We know from the previous article that the user ID is very important, in that it is used to retrieve various information from the database at various stages of the application. The login form sets this userID when you log in. It is the login system that will be the focus of this second part in a four-part series.
Javascript Code. This script provides the first code of authentication. It checks to see if the user has filled in all the required fields on the form. If the user has not done so, a dialog box pops up that tells the user exactly which field he or she did not fill in:
<script language="javascript" type="text/javascript"> function checkform(pform1){ if(pform1.uname.value==""){ alert("Please enter a username") pform1.uname.focus() return false } if(pform1.pw.value==""){ alert("Please enter a password") pform1.pw.focus() return false } if(pform1.pw.value=="" && pform1.uname.value==""){ alert("Please make sure that you have entered your username and password") return false } return true } </script>
Although this is a good way to check whether the user has indeed filled in all the needed values, it does not always work. This is because JavaScript can be turned off by some users, so if you rely on Javascript alone to verify user input, you will have a lot of problems later on.
PHP Form Code. This is the main code that processes the form information. It also acts as the second level of verification of form data. At first it checks to see if the form has been submitted. If it has been submitted, it checks to see if the form data that is contained within the submitted form has values. Its third step is to check whether the username and password match any that are in the database. Based on the outcome, the userID of the user will be stored in a session variable together with other data, and then the user will either be put through to the index page of the application or an error and the login page will be displayed:
<? ob_start(); session_start(); if(isset($_POST['submit'])){ //check if required data is submitted if(!empty($_POST['uname'] && $_POST['pw'] ){ /*
Here you can also check to see if the right kind of username and password have been submitted. For example, you can make the user submit a username that begins with "usr.username," then use regex to find out if that pattern has been followed. Also if you are really serious about security, you should use MD5 encryption here. This is to stop SQL injection and to make your form safer.
*/ include("connect.php"); $query = "SELECT user_id,email,uname,upass from user WHERE uname = '".$_POST['uname']."' AND upass = '".$_POST['pw']."'"; $result = mysql_query($query); $num = mysql_num_rows($result); $r=mysql_fetch_assoc($result); if($num > 0){ $_SESSION['userid'] = $r['user_id']; $_SESSION['user'] = $r['uname']; header("location:index.php?uid=".$r['user_id'].""); }else{ $error = "Your username and password do not match"; } }//form vars check else{ $error = "Please enter all required information"; } }//end submit ?>
I've not focused on form security too much, because everyone's security needs are different. But I've made some attempt at pointing you in the right direction. Look at the comments in red.
PHP 
/ 27 
