Home arrow PHP arrow Page 4 - Filters and Login Systems for Web Application Security

The code - PHP

In this article we will be building our application, using the concepts discussed in the previous articles. Any web site that is selective in the kind of users that it wants to grant access to will need some method of filtering. This filtering is usually done through a login system. This (and more) is what we will be building. This article is the third part of an eight-part series.

  1. Filters and Login Systems for Web Application Security
  2. Definition and Storage File
  3. The Login page
  4. The code
By: David Web
Rating: starstarstarstarstar / 5
October 06, 2008

print this article



The login script has two methods of validating form data. The first is the JavaScript code that ensures that the user fills in all the data that is required. Then a secondary level of validation is added. This time, PHP does its own checking. and only then will this data be passed to the application.

JavaScript in itself is not a true security measure, but rather a convenience and also an extra layer of security. This is because JavaScript is a client-side technology (as opposed to PHP, which is server side). It saves the user the hassle of having to submit the form to the server, having it checked by PHP and then sent back if errors occur. What happens instead is that JavaScript checks the form data locally and if the checks are okay, it then sends the information to PHP. There is a small price for this convenience; the PHP file becomes a bit larger in size.

So why do we need PHP to check the form data if JavaScript does it in the first place? Because, as Iíve already stated, JavaScript is not a security measure in itself, for the simple reason that it can easily be turned off, rendering the code completely useless. The JavaScript code in our form primarily checks to see if the username and password fields in the form are filled in. If so, the data is sent to the PHP script; otherwise, a message box is displayed, alerting the user to the error:

if(pform1.pw.value=="" && pform1.uname.value==""){

alert("Please make sure that you have entered your username and password")

return false


In the code above, the pform1 refers to the form name and the pw refers to the form field name. The same applies to the uname.value line. The alert message is what the user will see if the form fields are empty.

In the next article we will continue to explore the login page and also discuss the benefits of authentication from a security point of view.

>>> More PHP Articles          >>> More By David Web

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: