Matt MickiewiczMatt Mickiewicz

Create a Powerful Login System with PHP in Five Easy Steps

AuthenticationPHP

Share this article

Create a Powerful Login System with PHP in Five Easy Steps

In this guide, you’ll learn how to create a powerful login system with PHP! We’ll walk you through the process step by step, so you can have a secure and efficient login system for your website in no time.

PHP and Login Systems

PHP is a popular server-side scripting language that allows you to create dynamic web pages. One of the most common uses of PHP is to create login systems for websites.

A login system is essential for protecting sensitive information and providing personalized content to users. In this tutorial, we’ll create a simple yet powerful login system using PHP and MySQL.

We’ll cover the following steps:

Setting Up Your Environment

Before we start, make sure you have the following software installed on your computer:

  • a web server (such as Apache)
  • PHP
  • MySQL

You can use a package like XAMPP or WAMP to install all of these components at once.

Once you have everything set up, create a new folder in your web server’s root directory (such as htdocs for Apache) and name it login_system.

Creating the Database and Tables

First, we need to create a database and tables to store user information.

Open your MySQL administration tool (such as phpMyAdmin) and create a new database called login_system.

Next, create a table called users with the following structure: 

CREATE TABLE `users` ( `id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(50) NOT NULL, `email` varchar(100) NOT NULL, `password` varchar(255) NOT NULL, `created_at` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), UNIQUE KEY `username` (`username`), UNIQUE KEY `email` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

This table will store the user’s ID, username, email, password, and the date the account was created.

Building the Registration Form

Let’s now create a registration form that allows users to sign up for an account.

Create a new file called register.php in your login_system folder and add the following code:

<form action="register.php" method="post">
  <label for="username">Username:</label> 
  <input id="username" name="username" required="" type="text" />
  <label for="email">Email:</label>
  <input id="email" name="email" required="" type="email" />
  <label for="password">Password:</label>
  <input id="password" name="password" required="" type="password" />
  <input name="register" type="submit" value="Register" />
</form>

This code creates a simple HTML form with fields for the username, email, and password. The form’s action attribute is set to register.php, which means the form data will be sent to the same file for processing.

Now, let’s add the PHP code to process the form data and insert it into the users table.

Add the following code at the beginning of your register.php file, before the declaration:

<?php if (isset($_POST['register'])) { 

// Connect to the database 
$mysqli = new mysqli("localhost", "username", "password", "login_system"); 

// Check for errors 
if ($mysqli->connect_error) { die("Connection failed: " . $mysqli->connect_error); } 

// Prepare and bind the SQL statement 
$stmt = $mysqli->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)"); $stmt->bind_param("sss", $username, $email, $password); 

// Get the form data 
$username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; 

// Hash the password 
$password = password_hash($password, PASSWORD_DEFAULT); 

// Execute the SQL statement 
if ($stmt->execute()) { echo "New account created successfully!"; } else { echo "Error: " . $stmt->error; } 

// Close the connection 
$stmt->close(); $mysqli->close(); }

This code checks if the form has been submitted, connects to the database, and inserts the user’s information into the users table. The password is hashed using PHP’s built-in password_hash function for added security.

Building the Login Form

Next, let’s create a login form that allows users to sign in to their accounts. Create a new file called login.php in your login_system folder and add the following code:

<form action="login.php" method="post">
  <label for="username">Username:</label>
  <input id="username" name="username" required="" type="text" />
  <label for="password">Password:</label> <input id="password" name="password" required="" type="password" />
  <input name="login" type="submit" value="Login" />
</form>

This code creates a simple HTML form with fields for the username and password. The form’s action attribute is set to login.php, which means the form data will be sent to the same file for processing.

Let’s now add the PHP code to process the form data and authenticate the user. Add the following code at the beginning of your login.php file, before the declaration: 

<?php session_start(); if (isset($_POST['login'])) { 

// Connect to the database 
$mysqli = new mysqli("localhost", "username", "password", "login_system"); 

// Check for errors 
if ($mysqli->connect_error) { die("Connection failed: " . $mysqli->connect_error); } 

// Prepare and bind the SQL statement 
$stmt = $mysqli->prepare("SELECT id, password FROM users WHERE username = ?"); $stmt->bind_param("s", $username); 

// Get the form data 
$username = $_POST['username']; $password = $_POST['password']; 

// Execute the SQL statement 
$stmt->execute(); $stmt->store_result(); 

// Check if the user exists 
if ($stmt->num_rows > 0) { 

// Bind the result to variables 
$stmt->bind_result($id, $hashed_password); 

// Fetch the result 
$stmt->fetch(); 

// Verify the password 
if (password_verify($password, $hashed_password)) { 

// Set the session variables 
$_SESSION['loggedin'] = true; $_SESSION['id'] = $id; $_SESSION['username'] = $username; 

// Redirect to the user's dashboard 
header("Location: dashboard.php"); exit; } else { echo "Incorrect password!"; } } else { echo "User not found!"; } 

// Close the connection 
$stmt->close(); $mysqli->close(); }

This code checks if the form has been submitted, connects to the database, and retrieves the user’s information from the users table. The password is verified using PHP’s built-in password_verify function. If the login is successful, the user is redirected to a dashboard.php page.

Securing Your Login System

To further secure your login system, you should implement the following best practices:

  • Use HTTPS to encrypt data transmitted between the client and server.
  • Implement CSRF (cross-site request forgery) protection using tokens.
  • Limit the number of failed login attempts to prevent brute-force attacks.
  • Store sensitive information — such as database credentials — in a separate configuration file outside the web server’s document root.
  • Regularly update your software, including PHP, MySQL, and your web server, to apply the latest security patches.

Conclusion

Congratulations! You’ve successfully created a powerful login system with login forms and secured your login system.

Frequently Asked Questions (FAQs) about Creating a PHP Login System

How Can I Secure My PHP Login System Against SQL Injection Attacks?

SQL injection is a common security vulnerability that exploits the database layer of an application. To secure your PHP login system against SQL injection attacks, you should use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way, it’s impossible for an attacker to inject malicious SQL. Both PDO and MySQLi support prepared statements.

How Can I Implement Password Hashing in My PHP Login System?

Password hashing is a crucial security aspect in any login system. PHP provides built-in functions for password hashing and verification. You can use the password_hash() function to create a password hash and password_verify() to check if the password matches the hash. Always store the hashed password in your database, not the plain text password.

How Can I Implement a ‘Remember Me’ Feature in My PHP Login System?

A ‘Remember Me’ feature can be implemented using cookies in PHP. When a user checks the ‘Remember Me’ option and logs in, you can set a cookie with a long expiry time. The next time the user visits your site, you can check if this cookie exists and log them in automatically. However, remember to handle cookies securely to prevent any potential security risks.

How Can I Implement a Password Reset Feature in My PHP Login System?

A password reset feature typically involves sending an email to the user with a unique, one-time-use link to a password reset page. PHPMailer is a popular library for sending emails from PHP. When creating the reset link, you should include a token that can be used to verify the password reset request. This token should be stored securely and expire after a certain period.

How Can I Validate User Input in My PHP Login System?

User input validation is essential to prevent malformed data and SQL injection attacks. PHP provides several functions for input validation, such as filter_var(). You can use this function with different options to validate and sanitize different types of data. For example, you can use FILTER_VALIDATE_EMAIL to check if the user input is a valid email address.

How Can I Implement User Roles in My PHP Login System?

User roles can be implemented by adding a ‘role’ column to your users table in the database. Each role can have different permissions, and you can check the user’s role before allowing them to perform certain actions. For example, you might have ‘admin’ and ‘user’ roles, and only allow ‘admin’ users to delete other users.

How Can I Implement Two-Factor Authentication in My PHP Login System?

Two-factor authentication (2FA) adds an extra layer of security to your login system. There are several ways to implement 2FA, such as sending a code via SMS or email, or using a dedicated 2FA app. PHP libraries like PHPGangsta/GoogleAuthenticator can help you implement 2FA in your login system.

How Can I Implement Social Login in My PHP Login System?

Social login allows users to log in using their social media accounts, such as Facebook or Google. This can be implemented using the OAuth protocol. PHP libraries like HybridAuth can simplify the process of implementing social login.

How Can I Implement Account Lockout in My PHP Login System?

Account lockout can be implemented by keeping track of failed login attempts. After a certain number of failed attempts, you can lock the account and prevent further login attempts for a certain period. This can help prevent brute force attacks.

How Can I Implement User Registration in My PHP Login System?

User registration typically involves creating a form where users can enter their details, such as username, email, and password. After the user submits the form, you can validate the input, hash the password, and store the user details in your database. PHP provides several functions to help with user registration, such as filter_var() for input validation and password_hash() for password hashing.

Matt MickiewiczMatt Mickiewicz
View Author

Matt is the co-founder of SitePoint, 99designs and Flippa. He lives in Vancouver, Canada.

login forms
Share this article
SitePoint Premium
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
SitePointStart Free Trial
Stuff we do
PremiumNewslettersLearning pathsLibraryForums
Contact
Contact usFAQPublish your book with usWrite an article with usAdvertise
About
Our storyCorporate membershipsTerms of usePrivacy policy
Connect
RSSFacebookInstagramTwitter (X)
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© 2000 – 2024 SitePoint Pty. Ltd.