I'm interested in securely authenticating users on my website using PHP/MySQL. I'm all familiar with the principles, but have no idea of how to implement it.

I'm already familiar with PHP and MySQL, and would appreciate some advice, examples or code snippets. Thanks!:)

REMEMBER: The more basic, the more secure. PLAIN AND SIMPLE

This is what I do:

Name the forms relating to what the user puts in. So if the user puts in information in the 'username' field, make sure you named it as 'username'. Create two forms, 'username' and 'password'. (use the name="username" and name="password" properties in the input tags)

Use this form tag

<form name="login" method="POST" action="<?$PHP PRINT '$PHP_SELF'?>">

Add a hidden input field in your form
<input type="hidden" name="pwdcheck" value="filled">

Now add this at the VERY top of your page, even before the HTML tags

if ( isset($pwdcheck) ) {
mysql_connect(HOST, USER, PASS);
mysql_select_db(DB);

etc... (check for the matching values in MySQL)


Hope this is specific enough. If you have troubles with the last part I'll tell you how to check the variables, and if they match.

Thanks Atomic, very good stuff.

Break it down for me though, what does the "<?$PHP PRINT '$PHP_SELF'?>" action do?

Also, I would appreciate if you showed me how to compare the username and passwd. Finally, is it correct to assume that the username and password would be passed to the MySQL database as clear text, ie. unencrypted?

Thanks again!

action="<? php print $php_self ?>";

When you hit the submit button, the form uses Method=POST to post the data. The action property is where the data is going. By using the PHP tags (<?php and ?>) we can print the current document (itself) in the action. $php_self is a special variable which is always the path of the document it's in. It lets you post data to the same file the forms are in. Basically, it's posting the data to itself

I do not encrypt. However, you could if you wanted. You could also just let SSL handle it. I don't find it much of a concern.

To compare data to the database:


// Setup information
$user = "your name";
$pass = "your password";
$db = "your database";

// Connect
$link = mysql_connect(" localhost", $user, $pass );

// Error message if no connection was made
if ( !$link )
die( "Couldn't connect to MySQL" );

// Connect to the database
mysql_select_db( $db, $link )
or die( "Couldn't connect to the database $db: ".mysql_error() );

// Extract data to '$dbuser' and '$dbpass'
$dbuser = mysql_query( "SELECT username FROM logins" );
$dbpass = mysql_query( "SELECT password FROM logins" );

if ($dbuser == $username && $dbpass == $password)
{
print "login complete";


ADDITIONAL STUFF HERE AFTER LOGIN IS COMPLETE

}
?>

Remember to put that whole thing in the isset() function. (meaning that the first time the page is loading, the variable won't be set. once you submit data, the variable is set, so the login process beings)

Let me know if you need help with setting up the tables in MySQL.