how to create php login form like sql connction ans others

Below is a standard template I have made.

login.php

<? session_start();
$dbhost='localhost'; //database host (usually localhost)
$accountname='root'; //database username.
$password=''; //database password
$database='my_database'; //database name - not table
//configure the above variables.
 
 
$linkID = @mysql_connect($dbhost,$accountname,$password)
or die("Could not connect to MySQL server");
@mysql_select_db($database) or die("Could not select database");
 
//adjust mysql query accordingly 
$result=mysql_query("SELECT * FROM `users` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'");
 
if (isset($_POST['username']) && mysql_num_rows($result)==1)
    {
    $row=mysql_fetch_array($result);
    $_SESSION['username111']==$row['username'];
    unset($row);
    header('Location: index.php');
    //there should be no browser output before this line.
    }
?>
<form method='post'>
<input type='text' value='Admin' name='username'><br>
<input type='text' value='password' name='password'>
<input type='submit' value='submit'>
</form>

The above will redirect the user to index.php on login.

index.php

<?
session_start();
//below is how to check if a user is logged in.
if (!isset($_SESSION['username111']))
    {
    echo "You are not logged in.";
    //if not logged in this will occure.
    } else {
    //if logged in this will occure.
    echo "This is password protected content ".$_SESSION['username111'];
    }
?>

Hope that answers it.

//adjust mysql query accordingly 
$result=mysql_query("SELECT * FROM `users` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'");

This doesn't seem very safe...

//adjust mysql query accordingly 
$result=mysql_query("SELECT * FROM `users` WHERE `username`='".mysql_real_escape_string($_POST['username'])."' AND `password`='".mysql_real_escape_string($_POST['password'])."'");

You need to use mysql_real_escape_string() to stop injection attacks.
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

This doesn't seem very safe...

//adjust mysql query accordingly 
$result=mysql_query("SELECT * FROM `users` WHERE `username`='".mysql_real_escape_string($_POST['username'])."' AND `password`='".mysql_real_escape_string($_POST['password'])."'");

You need to use mysql_real_escape_string() to stop injection attacks.
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

I guess I should have made a few security modifications to the code by now because it was a long time ago when I wrote that script and was new to mysql at the time. But yes, some security modifications may need to be made as it is a very basic script.

This article has been dead for over six months. Start a new discussion instead.