Using PHP Encryption for Login Authentication | WebReference

Using PHP Encryption for Login Authentication

By Leidago Noabeb


Following up on "Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.

We start with the login script.

The Login Script

The login script ensures that unauthorized users don't access other people's diary contents. Every user who wants to use a diary needs to have it registered. The login code below shows both file- and database-based methods for authenticating a user.

Whether you use the file-based or database-based method is entirely up to you. Either way, the page should look like Figure 1.

Login page for online diary
Figure 1. Login Page for Online Diary Application

To start with, the PHP portion of the code processes the data that is sent from the login form. It then uses one of the two authentication methods.

Database-based Authentication

Because we will store some data into session variables, we first start a session for the user. Then we include the global.php file that contains the database-connection details:

Now we start authenticating the user. We start off by checking if the form has been submitted:

Then we build a SQL statement to retrieve the stored password from the database:

We run the SQL statement using the mysql_query() function:

Next, we test to see if any results have been returned:

If results have been returned, we fetch the record using MySQL's mysql_fetch_assoc() function:

We store the name and ID of the user in session variables:

Then we redirect the user to the text editor page:

If the $res variable does not contain any results, then the user who is trying to log in either does not exist or has mistyped their login details. In either case, the details will not match, so we show an error message:

File-based Authentication

The second method of authentication is when you store your details in a file. The logic for retrieving the password is the same as that for doing it with the database server. First we check if the file that we want to open exists:

Then we open the file to read the contents. To do this, we need to specify the file name and opening mode:

Then we read the file using the fread() function and store the results in the $pass variable:

Then we close the file, because we got what we wanted from it:

The password that is stored in the file is now stored in the $pass variable. The password is already hashed, so it is actually a 32-character string as opposed to a plain text string. So we have to compare the user-submitted password with the password that is retrieved from the file. The following line of code does exactly that.

If the passwords match, we send the user over to the editor script. If they do not, then we show the following message:

If an error occurs while trying to read the file, we show this error message:

Similarly, if we cannot find the file that we want to open, we write a similar error message:

HTML Portion of Login Page

The HTML portion of the login page is very easy to understand. First, the HTML headers are set and some styles are defined:

Then the form tag is created:

Then the table is created, the table headers are set, and all the other formatting is done:

The form then presents the user with a textfield element that will take the password:

Finally the form button is defined: