User Authentication with PHP+MySQL: Part #2

By Ben on June 12th, 2008

When we left off last we had just finished detailing what you need to begin with this tutorial. If you have not checked please read them over here then come back here to begin.

So, we’re building a basic user authentication system utilizing PHP and MySQL. First thing’s first, which tracking mechanism to use? Personally, I prefer using cookies over sessions for user-driven systems for several reasons noted at the link; so, we’ll be using cookies in this tutorial.

Now, before we even begin to type any code lets get the schema of the database all thought out and created. Here’s the basic schema/SQL:

CREATE TABLE `kiler_users` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(28) NOT NULL,
  `email` varchar(110) NOT NULL,
  `pass` varchar(85) NOT NULL,
  `is_confirmed` int(1) NOT NULL,
  `confirm_hash` varchar(65) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 ;

Now that our database structure is thought out and created we can begin on the logic (code).

In my experiences with programming in general I am quite familiar with Object Oriented Programming, and will therefore create this user system with the use of it. If you are new to object oriented programming or to PHP in general please try and follow along until I can get around to creating an introductory tutorial on OOP.

Our system requires the use of a class which creates the objects needed to satisfy our user system; we will create it. In a separate php file save the following class as kiler.user.class.php

class KilerUser{
   public $userID;
   public $userName;
   public $userEmail;
   public $userPass;
   public $userHash;

   function __construct($userID,$userName,$userEmail,$userPass,$userHash){
      $this->userID = $userID;
      $this->userName = $userName;
   $this->userPass = $userPass;
   $this->userHash = $userHash;
   }

   function login($userName,$userPass){
      global $db;
      $go = @mysql_query(”select id, pass from kiler_users where username = ‘$userName’ and pass = ‘$userPass’ limit 1″);
      if(!$go) return false;
      $checkpass = @mysql_fetch_assoc($go);
      $pass2 = $checkpass[’pass’];
      if($userPass != $pass2) return false;
      $chkconf = $this->checkConfirmed($userName);
      if(!$chkconf) return false;
      $userName = strtolower($userName);
      $this->setCookies($userName);
      return true;
   }

   function setCookies($userName){
   setcookie(’kiler_userlogin’, $userName, (time()+12800), ‘/’, ”, 0);
   }

   function isLoggedIn(){
      global $db, $_COOKIE;
      if(isset($_COOKIE[’kiler_userlogin’])){
         $userName = mysql_real_escape_string($_COOKIE[’kiler_userlogin’]);
         $check = @mysql_query(”select id from kiler_users where username = ‘$userName’ limit 1″);
         $checkNum = @mysql_num_rows($check);
         return ($checkNum>=1) ? true : false;
      }
      return false;
   }

   function logout(){
      setcookie(’kiler_userlogin’, ”, (time()-2592000), ‘/’, ”, 0);
      header(”Location: http://www.yoursite.com”) and exit();
   }

   function checkConfirmed($userName){
      global $db;
      $userName = strtolower(@mysql_real_escape_string($userName));
      $go = @mysql_query(”select username, is_confirmed from kiler_users where username = ‘$userName’ limit 1″);
      $goNum = @mysql_num_rows($go);
      if($goNum!=1) return false;
      $getdata = @mysql_fetch_assoc($go);
      $userName2 = stripslashes(strtolower($getdata[’username’]));
      $isit = $getdata[’is_confirmed’];
      if($userName != $userName2) return false;
      if($isit == ‘0′ || $isit == ”) return false;
      return ($isit == ‘1′) ? true : false;
   }

   function getUserID($userName){
      global $db;
      $go = @mysql_query(”select id, username from kiler_users where username = ‘$userName’ limit 1″);
      $goNum = @mysql_num_rows($go);
      if($goNum!=1){ $this->logout(); return; }
      $goRw = @mysql_fetch_assoc($go);
      $goRwNum = @mysql_num_rows($goRw);
      if($goRwNum!=1){ $this->logout(); return; }
      $userName2 = stripslashes(strtolower($goRw[’username’]));
      $userID = $goRw[’id’];
      if($userName != $userName2){ $this->logout(); return; }
      return $userID;
   }
}

Now, I won’t get into the details of the functions within the class as it should be pretty much straight-forward. For the sake of quickness I’ll slack there and now show you how to use this basic class.

In your system before you call any headers or whatnot you’ll need to add the code which will utilize the user class/system, and here it is:

require_once ‘/path/to/your_Database_Connection.php’;
require_once ‘/path/to/kiler.user.class.php’;

$kilerUser = new KilerUser();
// if logout is set log them out!
if(isset($_GET[’logout’])){
   $kilerUser->logout();
}
$is_user_logged_in = $kilerUser->isLoggedIn();
if(!$is_user_logged_in){
   // user is not logged in
   // see if login form has been submitted.
   // If it has process the form.
   if(isset($_POST[’user_name’]) && isset($_POST[’user_pass’])){
      $userName = strip_tags(strtolower(mysql_real_escape_string($_POST[’user_name’])));
      $userPass = md5(mysql_real_escape_string(strip_tags($_POST[’user_pass’])));
      $goLogin = $kilerUser->login($userName,$userPass);
      if($goLogin){
         // successful login
         $rr = @mysql_query(”select id from kiler_users where username = ‘$userName’ limit 1″);
         $rw = @mysql_fetch_assoc($rr);
         $userID = $rw[’id’];
      }else{
         $login_message = ‘You have entered an incorrect login user/pass combination or your account has not been confirmed.’;
      }
   }
}else{
   // user is logged in
   // Get their user id
   $userName = mysql_real_escape_string($_COOKIE[”kiler_userlogin”]);
   $userID = $kilerUser->getUserID($userName);
   if($userID == ” || $userID == 0){
      $login_message = ‘Error recovering user data.’;
   }else{
      $login_message = ‘Welcome back userID: ‘.$userID.’!';
   }
}

if(isset($login_message)){
   echo $login_message;
}

This is a bare-bones user system, not including the actual registration form/process and is also missing the login form…which I’m sure if you made it this far you can handle on your own. This system has several design flaws, such as using straight mysql calls rather than a wrapper, only utilizing md5 and not adding “salt”, and the likes; but I’m sure you can weed those out and refine a bit. This was meant to give the basic idea to newbies and the likes. I hope this helps someone.

To secure this class/script:
1. Add “salt” to the encryption on the users password.
2. Add md5 encryption and “salt” to the users cookie.
…come on, I can’t do everything for you.

If you have any questions, comments or flames feel free to utilize the commenting feature here. :)

Spread The Word: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • Technorati
  • StumbleUpon
  • Slashdot
  • Reddit
  • Spurl
  • Live
  • YahooMyWeb
  • e-mail

Categories: Development Tutorials, MySQL, PHP, Tutorials, Web Development
Tags: , , ,

Leave a Reply

You must be logged in to post a comment.

« Albert Hofmann Dead At Age 102 Why Do People Hate Smarty? »