Setting up restricted access to certain pages is a breeze. Here I will show a quick way to control who can view specific pages using a form based login system and a MySQL database of allowed users.
First we will set up the database table for storing the user login information. We will be encrypting the passwords later on, here is the SQL code for the table:
CREATE TABLE `users` (
`id` int(4) NOT NULL auto_increment,
`username` varchar(32) NOT NULL,
`password` varchar(32) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM
I insert the users manually through my phpMyAdmin front-end. If I am doing a site that has multiple users, then chances are good that I will be using a content management system, such as Drupal. I use this authentication method for smaller sites and do not find it necessary to write a script for inserting users, but creating one would be relatively simple. The one thing you need to be sure to do when inserting a new user is to select MD5 under the function section for the password (see screenshot below). MD5 is a form of encryption that is easy to implement with PHP.
Now we have the MySQL end taken care of and we can focus on securing the pages. For each page that we only want to be seen by authorized eyes, we need to put in some PHP code. I put this code snippet as the first text tag. If you are using PHP4, then the code must be the very first text at the top of the web document.
session_start();
if (!isset($_SESSION['is_logged_in'])) {
header("Location:login.php");
die();
}
?>
This snippet checks to see if a user has been authenticated for this session. If not, then the user is redirected to a login form and the script dies. If the user has been authenticated for this session, then the page continues to display the contents. Now we need to create a login page. The code above specifically refers to login.php
so we will name the new page just that. Here is my code for the login page:
form method="POST" action="check.php"
Username:
input type="text" name="username"
Password:
input type="password" name="password"
input type="submit" id="subbut" value="Submit"
/form
You should notice in the above code that the form is posting to a file named check.php
. This file will query our previously created MySQL database to verify the user's credentials. Here is how it is coded:
session_start();
if($_SERVER['REQUEST_METHOD'] == "POST") {
mysql_connect("mysql.example.com", "username", "password");
@mysql_select_db("database") or die( "Unable to connect to database");
$result = mysql_query("SELECT * FROM users WHERE username='" .
$_POST['username'] . "' AND
password=md5('" . $_POST['password'] . "')");
if(mysql_num_rows($result) > 0) {
$_SESSION['is_logged_in'] = 1;
}
}
if(!isset($_SESSION['is_logged_in'])) {
header("location:login.php");
} else {
header("location:authenticated.php");
}
?>
The username and password are user
and password
respectively. On the authenticated test page you are given to option of logging out. This was done by creating a file named logout.php
with the following code:
session_start();
session_destroy();
header("location:authenticated.php");
?>