Home arrow PHP arrow Page 4 - Project Management: Authentication

Login Code continued - PHP

I recently completed an article series in which we built a project management application. Every application that wants to control access to its resources has an access control mechanism that will verify if a user is allowed to use the particular application. A project management application is a good candidate for such a control. In this four-part series, we will build an authentication system for the application.

  1. Project Management: Authentication
  2. Create the Table
  3. The Login Code
  4. Login Code continued
By: David Web
Rating: starstarstarstarstar / 3
July 28, 2008

print this article



After testing to see if the fields are empty, and verifying the username format, the code goes on to run a check in the database to try to match the username and password entered by the user, after escaping the form data:

//if there is no errors above, then clean the form values before using in query.


$cleanuname = mysql_escape_string($_POST['uname']);

$cleanupass = mysql_escape_string($_POST['upass']);

As the code above shows, the two form values are escaped using the mysql_escape_string() function. This function gets rid of any white spaces or slashes that may be in the form values, and thus cleans the values for use in a MySQL query. This kind of filtering is very important when running queries, as it closes any security vulnerabilities that may otherwise occur. Next the code runs the MySQL query to actually compare the information from the form with the data in the database:

$checkuser = "SELECT * from users WHERE uname = '".$cleanuname."' AND upass = '".$cleanupass."'";

$checkuser_res = mysql_query($checkuser);

The outcome of the check is stored in the $check_user variable, which will contain a value that is greater than zero if there's a match and a value that is less than zero if there is not a match:

$checkuser_num = mysql_num_rows($checkuser_res);

if($checkuser_num > 0){

The code above checks to see if there is a match by finding out if the value returned by the query is greater than zero. If so, we transfer user details to the session variables. The session has already been started by the inclusion of the dbcon.php file that contains the session_start() function. The name, user id and access level of the user are stored in the session variables, then the user is granted access to the application. From this point on the user will be tracked:

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];



If the user details do not match, the $errmsg variable is assigned an error message which is then displayed on the log-in form:


//if values do not match set errmsg


$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ".mysql_error();


}//end $err check

} //end form submit check


The next article will finish off the section on user log-in and log out.

>>> More PHP Articles          >>> More By David Web

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: