This tutorial is intended to explain how to design and build the foundation of a secure user authentication system using PHP's PDO library with a MySQL database. Each security measure is explained and justified, and many contain references to additional information should you wish to explore the subject in more depth. This article highlights insecure practices commonly found in code written by beginning PHP programmers who are simply unaware of how to write secure code. This tutorial lives at DevShed Forums. Be sure to visit for up-to-date information and discussions.
This tutorial is aimed at programmers with a basic knowledge of PHP and MySQL. It assumes that you already have:
- A web server with PHP
- A MySQL database server with a MySQL database created
- Login details for the MySQL server
- A basic understanding of general programming concepts and PHP syntax
- A basic understanding of HTML and HTML forms
- A basic conceptual understanding of the purpose of a database
- How to prevent SQL injection exploits when using user-supplied data in a SQL query
- How to prevent XSS attacks when displaying user-supplied data on a web page
- How to securely store passwords in a database
- How to securely redirect a user to another web page
- How to connect to a MySQL database using PHP's PDO library
- How to insert a new row of data in the database (INSERT query)
- How to update an existing row of data in the database (UPDATE query)
- How to fetch a list of data from the database and display it in a table (SELECT query)
- How to check whether a particular value already exists in the database
- How to use PHP sessions to track a logged-in user
- How to properly handle non-ASCII characters using UTF-8
- How to avoid problems with PHP's Magic Quotes feature
- How to check whether a user is logged in or not, and force them to be logged in to view a particular page
- How to build a login form, registration form, account details editing form and memberlist page
To use this login system you will need to create a database using the provided SQL file. You will need to upload the remaining files to your web server. Please read through the comments in each file and edit as necessary per the instructions.
In common.php:
- enter the username used to access your database (you will need read and write access)
- enter the password for the user that you provided in Line 4
- enter the hostname of your database server (if you are unsure, leave this set to 'localhost')
- enter the name of the database you created for your login system
An example of a protected page can be found in private.php. Protecting a page is as easy as including the common.php file and checking whether or not a user is logged in.
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}- PHP 5.5+, Minimum PHP 5.5.15
- MySQL 5.5+, Minimum MySQL5 (old versions have a PDO injection bug)
- installed PHP extensions: pdo, session
- Basic knowledge of PHP and object-oriented programming
A working demo of this code can be seen at http://www.basicsecurelogin.com.
Personal support requests should be made at the Dev Shed Forums.
This code is made freely available. Anyone and everyone is welcome to contribute. If you would like to get involved, please review the guidelines:
The code is available under the MIT license.
- How to program a basic but secure login system using PHP and MySQL
- The 6 worst sins of security
- Making PHP sessions secure
- How to (properly) access a MySQL database with PHP
- How to use PDO
- A short guideline on how to use the PHP 5.5 password hashing functions and its PHP 5.3 & 5.4 implementations
- How to setup latest version of PHP 5.5 on Ubuntu 12.04 LTS
- How to setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1 (and how to fix the GPG key error)
A special thanks to the contributing members at Dev Shed Forums who freely give of their time and expertise so that others may learn. If you find this code useful, please stop by the forums and say thanks.