Ades Design - High Quality Website Templates, Free Website Templates, Tutorials: Photoshop, Dreamweaver, Flash, CSS and PHP


Creating a Secure PHP Login Script by Martin Tsachev
Home » Tutorials » PHP

 

6. To the core of the script

To allow easier integration with other scripts and make things more modular the core script is an object with very simple interface.

class User {

var $db = null; // PEAR::DB pointer
var $failed = false; // failed login attempt
var $date; // current date GMT
var $id = 0; // the current user's id

function User(&$db) {

$this->db = $db;
$this->date = $GLOBALS['date'];

if ($_SESSION['logged']) {
$this->_checkSession();
} elseif ( isset($_COOKIE['mtwebLogin']) ) {
$this->_checkRemembered($_COOKIE['mtwebLogin']);

}

}

This is the class definition and the constructor of the object. OK it's not perfectly modular but a date isn't much of a problem. It is invoked like:

$date = gmdate("'Y-m-d'");
$db = db_connect();
$user = new User($db);

Now to clear the code purpose, we check if the user is logged in. If he/she is then we check the session (remember it is a secure script), if not and a cookie named just for example mtwebLogin is checked - this is to let remembered visitors be recognized.

 

7. Logging in users

To allow users to login you should build a web form, after validation of the form you can check if the user credentials are right with $user->_checkLogin('username', 'password', remember). Username and password should not be constants of course, remember is a boolean flag which if set will send a cookie to the visitor to allow later automatic logins.

function _checkLogin($username, $password, $remember) {

$username = $this->db->quote($username);
$password = $this->db->quote(md5($password));

$sql = "SELECT * FROM member WHERE " .
"username = $username AND " .
"password = $password";

$result = $this->db->getRow($sql);

if ( is_object($result) ) {
$this->_setSession($result, $remember);
return true;
} else {
$this->failed = true;
$this->_logout();
return false;
}

}

The function definition should be placed inside the User class definition as all code that follows. The function uses PEAR::DB's quote method to ensure that data that will be passed to the database is safely escaped. I've used PHP's md5 function rather than MySQL's because other databases may not have that.

The WHERE statement is optimized (the order of checks) because username is defined as UNIQUE.

No checks for a DB_Error object are needed because of the default error mode set above. If there is a match in the database $result will be an object, so set our session variables and return true (successful login). Otherwise set the failed property to true (checked to decide whether to display a login failed page or not) and do a logout of the visitor.

The logout method just executes session_defaults().


[ previous page ] [ next page ]



Web2.0 Bookmarks - Social bookmarking is good, but old skool way of hand-picking sites is better!
That's what we do best, collecting the coolest WEB2.0 sites. click here

 

Advertise | AdesBlog New | Free Templates | Premium Templates | Products | Services | Portfolio | Contact

2002 - 2007 Ades Design. All Rights Reserved. http://www.adesdesign.net

 








Text Links
Custom Logo Design Services by Logo Design Team for $149 Only
Software Development Company 
Search Engine Optimization by Design
 
Advertise Here