How do I authenticate a user in PHP / MySQL?

Question

So recently I learned how to properly add a username and password to a database. My database is usersys, and the table storing user information is called userdb. The table h

Answer 1

One way to do it (DISCLAIMER: not necessarily best-practice):

$result = mysql_query("SELECT id FROM userdb WHERE username='$esclcusername' AND  password='$escpassword'") or die(mysql_error());
$row = mysql_fetch_array( $result );
$id = (int)$row['id'];
if($id > 0) {
    //log in the user
    session_start();
    $_SESSION['userId'] = $id;
    $_SESSION['username'] = $displayname;
}

... and on pages that require authentication:

session_start();
if(!isset($_SESSION['userId'])) {
    die('You need to be logged in!!!');
} else {
    echo 'Welcome ' . $_SESSION['username'];
}

Read more about PHP sessions.

Answer 2

This is not a direct answer to this question but a GOOD value-add. You should use MYSQL SHA1 function to encrypt the password before storing into the database.

$user = $_POST['userid'];
$pwd = $_POST['password'];
$insert_sql = "INSERT into USER(userid, password) VALUES($user, SHA1($pwd))";

$select_sql = "SELECT * FROM USER WHERE userid=$user AND password=SHA1($pwd))";

Answer 3

I would also think about not storing passwords in your database. One way hashes with MD5 or SHA1 are a way of adding a layer of security at the db level.

See http://php.net/md5 or http://php.net/sha1 for further information.

Answer 4

I like to use both $_SESSION and MYSQL Checks with any login POST. This should help get a few things started.

$username = mysql_real_escape_string($_POST[username]);
$password = strip_tags($_POST[password]);
$password = sha1($password);

if(isset($username) && isset($password) && !empty($username) && !empty($password))
{
$sql = mysql_query("SELECT * FROM users_column WHERE username = '$username' AND password = '$password'");

//Check the number of users against database
//with the given criteria.  We're looking for 1 so 
//adding > 0 (greater than zero does the trick). 
$num_rows = mysql_num_rows($sql);
if($num_rows > 0){

//Lets grab and create a variable from the DB to register
//the user's session with.
$gid = mysql_query("SELECT * FROM users_column WHERE username = '$username' AND password = '$password'");
$row = mysql_fetch_assoc($gid);
$uid = $row[userid];

// This is where we register the session.
$_SESSION[valid_user] = $uid;

//Send the user to the member page.  The userid is what the 
//session include runs against.
header('Location: memberpage.php?userid='.$userid);
}

//If it doesn't check out -- throw an error.
else
{
echo 'Invalid Login Information';
}
}

NOTE: You would need to start the page file with session_start() and create a separate Session Check include stating with session_start() and then your progressions e.g. if($_SESSION[valid_user] != $userid) do something.

Answer 5

You could use a select statement to retreive from MySQL the password for the specified username. If you have an empty result set, then you do not have the username in the table.

If you need the user to be authenticated in more than one php page, then one choice whould be using sessions (http://www.php.net/manual/en/function.session-start.php).

Also, I think you should think about security, i.e. preventing SQL injection:

$variable = mysql_real_escape_string($_POST['variable'])

and avoiding to "die" (treating errors and returning user-friendly messages from the script).

Answer 6

I agree with the idea if using SESSION variables while authenticating the user.

The easy way to authenticate the user is as follows

//connect the mysql_db
$mysql_connect()
$mysql_select_db() 

//reading from mysql table
$res="SELECT * FROM table WHERE name=$username AND password=$password";
$val=mysql_query($res);

//authentication
$count=mysql_num_rows($val);
if($count==1)
//authenticate the user
else
through an error