Check a username and password against a database record

Posted by dalean123
  1572
February 14, 2015

 

<?php
session_start(); //Start your session as the first thing on this page
  //Before you start ensure that output buffering is turned on in the PHP  .ini file
  //Set up database connection using mysql
  define("DB_SERVER", "localhost"); //Your server name
  define("DB_USER", "root"); //Your username
  define("DB_PASS", ""); //Your password
  define("DB_NAME", "test"); //Your database
  
  $connection = mysqli_connect(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
  
  if(mysqli_connect_errno()){ //If there was an error while connecting to the database then the script will stop executing and an error will be issued
    die("Database connection failed: ") .
    mysqli_connect_error() . 
    
    "(" . mysqli_connect_errno . ")";
  }
  
  //If connection was successful, then the script will continue its processing
  
  //declare some variables that will be needed in the script
  $errors = array();
  $message = "";
  $username = "";
  $password = "";
  if($_SERVER["REQUEST_METHOD"] == "POST"){
    if(isset($_POST["submit"])){
      $username = trim($_POST["username"]);
      $password = trim($_POST["password"]);
      
      $required = array("username", "password");
      
      function sanitize($username, $password){
        $errors = array(); //Local $errors variable(array)
        if($username === ""){
          $errors["username"] = "Username cannot be blank";
          
        } else{
            if(strlen($username) < 6 || strlen($username) > 25){
            $errors["username"] = "Username must be between 6 and 20 characters";
          }
        }
        if($password === ""){
           $errors["password"] = "Password cannot be blank";
        }else{
            if(strlen($password) < 6 ||strlen($password) > 25){
            $errors["password"] = "Password must be between 6 and 20 characters";
          }
        }
        return $errors;
      } //function delimiter
      
      $errors = sanitize($username, $password);

      if(count($errors) !== 0){
        $message .= "<ul>"; //Opening unorder list tag
        foreach($errors as $field => $value){
          
          $message .= "<li>{$value}</li>";
        }
        $message .= "</ul>"; //Closing unordered list tag

      }else{
        $query = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
        $result = mysqli_query($connection, $query);
        $row = mysqli_num_rows($result);
        if($row === 1){
          $user = mysqli_fetch_assoc($result);
          if($user["username"] == $username && $user["password"] === $password){
            $_SESSION["user"] = $user["username"];
            header("Location: home.php"); //Redirect your user to where ever
          }else{
            $message = "Username and Password does not match";
          }
        }else{
          $message = "That user does not exist";
        }
      }
      
    }
  }
?>
<!DOCTYPE html>
<html>
<head>
  <title>Simple Login page with PHP</title>
  <meta charset="utf-8" />
</head>
<body>
  <h1>Login page with PHP</h1>
  <?php if(isset($message)) { echo $message; } ?>
  <form action="login.php" method = "POST">
    <table>
      <tr>
        <th><label for ="username"></label></th>
        <td><input type = "text" name = "username" id = "username" value = "<?php echo $username; ?>" /></td>
      </tr>
      <tr>
        <th><label for ="password"></label></th>
        <td><input type = "password" name = "password" id = "password" /></td>
      </tr>
      <tr>
        <td><input type = "submit" name = "submit" value = "Login" /></td>
      </tr>
    </table>
  </form>
  <?php mysqli_close($connection); ?>
</body>
</html>

   
  
 
 
   

 
mark123
March 05, 2015
 
For your queries use prepared statements or stored procedures to protect against security vulnerabilities.
Abelnegash2015
November 22, 2016
 
please send me the files
gideonna
August 21, 2018
 
it's very nice