After testing to see if the fields are empty, and verifying the username format, the code goes on to run a check in the database to try to match the username and password entered by the user, after escaping the form data:

//if there is no errors above, then clean the form values before using in query.

if(!$err){

$cleanuname = mysql_escape_string($_POST['uname']);

$cleanupass = mysql_escape_string($_POST['upass']);

As the code above shows, the two form values are escaped using the mysql_escape_string() function. This function gets rid of any white spaces or slashes that may be in the form values, and thus cleans the values for use in a MySQL query. This kind of filtering is very important when running queries, as it closes any security vulnerabilities that may otherwise occur. Next the code runs the MySQL query to actually compare the information from the form with the data in the database:

$checkuser = "SELECT * from users WHERE uname = '".$cleanuname."' AND upass = '".$cleanupass."'";

$checkuser_res = mysql_query($checkuser);

The outcome of the check is stored in the $check_user variable, which will contain a value that is greater than zero if there's a match and a value that is less than zero if there is not a match:

$checkuser_num = mysql_num_rows($checkuser_res);

if($checkuser_num > 0){

The code above checks to see if there is a match by finding out if the value returned by the query is greater than zero. If so, we transfer user details to the session variables. The session has already been started by the inclusion of the dbcon.php file that contains the session_start() function. The name, user id and access level of the user are stored in the session variables, then the user is granted access to the application. From this point on the user will be tracked:

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];

//redirect

header("location:main.php");

If the user details do not match, the $errmsg variable is assigned an error message which is then displayed on the log-in form:

}else{

//if values do not match set errmsg

$err=true;

$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ".mysql_error();

}//else

}//end $err check

} //end form submit check

Conclusion

The next article will finish off the section on user log-in and log out.