Password Protection with PHP, MySQL, and Session Variables

Free Article Home l Submit Article l Contact Us

Password Protection with PHP, MySQL, and Session Variables

One of the great promises that actually came true when our Internet-enabled world reached the twenty-first century is efficient customer-to-business interaction. Each day, I find a new way to go through life's errands without ever waiting on hold for a bank teller, a pharmacist, or an insurance agent. I do it all online.

Internet savvy consumers are coming to expect such web empowerment. And while these information transactions usually require some sort of private data traveling the ether, you, as the webmaster, bear the burden of keeping that data away from those who have no right to it.

Since retina scans and brain wave signatures are still properties of James Bond flicks, we're stuck using plain old boring passwords.

Is this really secure?

Let's get this out of the way first. The only truly secure computer is one that's unplugged. Kind of like "the only safe car is the one that sits in your garage." Life is a risk/reward proposition and, let's face it, this (probably) isn't Fort Knox, we're securing.

The security measures listed here are suitable for garden-variety data. I've used these schemes to write back-end website administration pages for online shopping carts. I've used them to write "partner" pages where retailers can download ads and sales data from wholesalers. I wouldn't use them to secure credit card numbers, social security numbers, or nuclear launch codes.

So what are PHP, MySQL, and session variables?

PHP is a programming language used (in this case) to write HTML. MySQL is a database. Session variable are used by web servers to track information from one page on a domain to another. This article isn't a how-to for either technology. If you aren't very comfortable with them, you could just copy and paste the code samples in this article and build yourself a basic password protected website. You could also just read the Cliff's notes for Pride and Prejudice and get a C+ in literature class. Your choice.

Let's get started with sessions

It's often been said that the web is "stateless", meaning that each web page is entirely independent, needing no other page to exist, and taking no information from the previous page. This is great for anonymous surfing from one site to the next, but it stinks for password protection. Consumers want password protected information, but they don't want to enter their password on every page. So we turn to our web server to keep track of a user while he's on our site.

Ex. 1.

session_start();

?>

Dan McConkey's Free Web Marketing Guide

Dan McConkey's Free Web Marketing Guide

end Ex. 1

session_start() is a PHP function that looks to see if a session has already been started then does one of two things:

1. If a session has been started, it does nothing.

2. If a session has not been started, it begins one.

It is important to note that session_start() must occur before any other PHP on the page, if you want it to work. Begin every password-protected page with it. Validation

Now let's think basic validation. What sorts of things do we need to accomplish?

* First, we need to check to see if the user has already logged in, so we don't ask for a password on every page. If our user has already logged in, we pass him or her through to the secure content.

* If the user hasn't already logged in, we need him or her to do so. So we need to write a log-in form.

* We need next to compare log-in form results with a known list of usernames and passwords. If the user checks out, we pass him or her along to the secure content.

* If the user doesn't check out, we direct him or her back to the log-in screen.

* Lastly, we need to provide the user the ability to log out.

So let's start with a basic frame-work that we'll fill in later.

Ex. 2

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

// check to see if they're already logged in

// if yes, return true

// if no, check to see if visitor has just tried to log on

// if yes, verify password

// if it worked, return true

// if it didn't, send them back to log-in

// if the user didn't just log-in, (s)he needs to

} // end verify function

?>

Dan McConkey's Free Web Marketing Guide

Dan McConkey's Free Web Marketing Guide

// check for valid user

if ( verify() )

{

// begin secure content

echo "

Clatu, verata, nicto

";

// end secure content

} // end if ( verify() )

?>

End Ex. 2

As I said, this is just a frame-work. I like to start all my projects this way. It allows me to get a grand view of what I'm doing before getting mired down in the details.

Basically, so far, all we've done is place some secret content inside an if statement. If the user is valid, we show the content, if not, we don't. Writing a log-in form

The first thing we should flesh out is our log-in function. This is a basic form, with no bells and whistles, so it should be pretty straight forward.

Ex 3

function write_log_in( $text )

{

echo "

$text

";

} // end write_log_in function

End Ex. 3

No problems, right? All this is is PHP writing a basic HTML log-in form. Two things are worth noting:

1. The method attribute to the

tag is 'post'. We could have used 'get', but that would add our user name and password to the URL as varibles. ie our_url?user_name=bob&password=truck64 . This shows the password--in plain text-- right there in the URL. Why spend all this time on security if you're just going to put peoples' passwords out for display?

'post' is much more secure, forcing the server to keep track of form data, rather that the URL. Any time you can keep information out of the URL, you're one step closer to a secure web page.

2. Next you want to look at the action attribute to the tag. Leaving it blank tells the server that you plan to process these form results with this same page.

Checking the log-in values

Now let's flesh out our frame-work a little more.

Ex. 4

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

// check to see if they're already logged in

// if yes, return true

// check to see if visitor has just tried to log on

$user_name = $_POST["user_name"];

$password = $_POST["password"];

if ( $user_name && $password )

{

// verify password and log in to database

$db = mysql_pconnect( "localhost", "$user_name", "$password" );

if ( $db )

{

// register session variable and exit the verify function

$valid_user = $user_name;

$_SESSION['valid_user'] = $valid_user;

return true;

}

else

{

// bad user and password

$text = "User Name and Password did not match";

write_log_in( $text );

}

}

else

{

// if the user didn't just log-in, (s)he needs to

}

} // end verify function

?>

Dan McConkey's Free Web Marketing Guide

Dan McConkey's Free Web Marketing Guide

// check for valid user

if ( verify() )

{

// begin secure content

echo "

Clatu, verata, nicto

";

// end secure content

} // end if ( verify() )

?>

End Ex. 4

First, we'll check whether the user has just tried to log in.

$_POST is a PHP superglobal array that keeps track of data sent to a page via a tag. In the log-in function, we named our inputs user_name and password, so we can access the user input by calling $_POST["user_name"] and $_POST["password"].

We next run an if ( $user_name && $password ) statement to see if both $_POST["user_name"] and $_POST["password"] hold values. If they do, the user just tried to log in.

Our next section of code is the part that actually checks whether the user name and password are correct. Here, we use MySQL's User table (part of the mysql database) to keep track of our users. This is, perhaps, the best route, as MySQL is already set up to control access permissions. However, this can present problems when you want to keep the database connection open across pages. Also, some hosting companies won't give you grant access (let you make new users) to the mysql database.

In those cases, you can accomplish much the same thing by setting up your own users table in your database. You would then need to write an SQL query that compares user names and passwords. That would look something like this:

Ex. 5

$select = "select user_name from users

where user_name='$user_name'

and password=PASSWORD( '$password' )";

$query = mysql_query( $select );

if ( mysql_num_rows( $query ) == 1 )

{

// validated user and password

...

End Ex 5

Getting back to our validation using MySQL's built in features, we know that the user name and password checked out because the connection attempt returned true.

Registering a session variable

Now that we know our user name and password check out, we need to store that information and allow our user to continue surfing our protected area without logging in each and every page. Looking back at example four, we notice another of PHP's superglobal variables: $_SESSION.

$_SESSION is an array that holds all of our session variables. By setting the valid_user session variable, we can later make a call to ession_is_registered( "valid_user" ) to see if our user has already logged in successfully.

Logging out

The last thing we have to attend to is allowing our users to log out of our system. In this case, we've used a simple link inside our protected area.

Ex 6

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

session_unregister( "valid_user" );

session_destroy();

session_start();

}

function write_log_in( $text )

{

} // end write_log_in function

function verify()

{

} // end verify function

?>

Dan McConkey's Free Web Marketing Guide

Dan McConkey's Free Web Marketing Guide

// check for valid user

if ( verify() )

{

echo "

Log out

";

// begin secure content

echo "

Clatu, verata, nicto

";

...

End Ex 6

First, looking in the HTML body, we see a simple HTML link that adds a variable to the URL. In this case, the variable name is log_out and its value is 1. We use 1 as a value because it's easy to store in a URL, but really any value greater than zero will work.

Once we pass a log-out request to the page, we need to process it. That's what the if( $log_out) part is for.

The if statement checks if a log-out request was passed. Once it sees that one was, it unregisters the valid_user session variable, then it destroys the session entirely.

Ironically, it starts a new session right back up. That's in case the user decides to log in later (without closing the browser window), or log in as a different user. The final code

Putting it all together we get this:

Ex. 7

// start session if not already started

session_start();

// check to see if user just logged out

if ( $log_out )

{

session_unregister( "valid_user" );

session_destroy();

session_start();

}

function write_log_in( $text )

{

echo "

$text

User ID:

";

} // end write_log_in function

function verify()

{

// check to see if they're already logged in

if ( session_is_registered( "valid_user" ) ) return true;

// check to see if visitor has just tried to log on

$user_name = $_POST["user_name"];

$password = $_POST["password"];

if ( $user_name && $password )

{

// verify password and log in to database

$db = mysql_pconnect( "localhost", "$user_name", "$password" );

if ( $db )

{

// register session variable and exit the verify function

$valid_user = $user_name;

$_SESSION['valid_user'] = $valid_user;

return true;

}

else

{

// bad user and password

$text = "User Name and Password did not match";

write_log_in( $text );

}

}

else

{

// user must log in

$text = "This is a secure server. Please log in.";

write_log_in( $text );

}

} // end verify function

?>

Dan McConkey's Free Web Marketing Guide

Dan McConkey's Free Web Marketing Guide

// check for valid user

if ( verify() )

{

echo "

Log out

";

// begin secure content

echo "

Clatu, verata, nicto

";

// end secure content

} // end if ( verify() )

?>

End Ex. 7

That's a pretty hefty code block to put at the head of every web page. Typically, I would put my verify() and write_log_in()functions into a seperate file and reference them with an include() function. That provides the added benifit of updating your entire website by editing one file only.

Hope that helps.

Copyright (C) 2005 Dan McConkey

Author Info:

Dan McConkey is a freelance web marketing professional, working in and around Charlotte, NC. In the web, Dan has found an amazing potential for lead generation for businesses. Using traditional advertising theories, appropriate technologies, and a little common sense, your electronic marketing campaigns can easily be your most effective. Dan maintains Dan McConkey's Free Web Marketing Guide at http://www.dmcconkey.com dmcconkey@yahoo.com

30 Most Recent Articles :

A Disputed New Business:Virtual Property Exchange

In many ways, the in-game economy is similar to a real world economy - goods and services are traded to mutual advantage and are mediated in currencies(gold,platinum,credit,etc.). An online broker, who goes by the screen name Rolala, was not a fan of online games until his 15-year-old son be[ Read Article]

THE UNITED STATES, A Terrorist Nation

I love the United States of America, but I cannot tolerate the UNITED STATES OF AMERICA. No I am not shouting at you, I am simply making a distinction, a difference that thirty-seven states of the union have noticed and moved to rectify. You see, AMERICA isn�t America anymore, nor does it in anyw[ Read Article]

Dollars and Sense

When I speak of the Federal Reserve and the fiat monetary system that controls our lives I feel as though my words are falling on deaf ears. I have the sense that the simplest conversations suggesting that change must be made invoke fear and condemnation from my fellow citizens. When will we tak[ Read Article]

Constitutionality

Is the 16th Amendment constitutional? Of course it is, the Supreme Court has made that as clear as it did the issue of slavery. But let us remember that it took the lives of more than 365,000 brave American men and the destruction of the Republic to wrest the matter from the courts and resolve the[ Read Article]

Five Secrets to Effective Pay-Per-Click Advertising

With so many companies swarming the World Wide Web with their products, how can you and your products and services stand out? Your ready answer would most likely be effective marketing. But how? How can you catch the eye of a surfer skimming carelessly through web pages? How can you keep the at[ Read Article]

How to Sell Bonds

If you want to make good money with banks, or any institution, Government and agency bonds are where it is at. Simply because all Government bonds and agencies are AAA rated, and banks can buy millions of dollars of any bond without incurring any credit risk. All banks own bonds of some sort, a[ Read Article]

Closing in the Car Business

The �P� Word. Closing is all about helping car customers make positive decisions. It is not about pressure or manipulation. Your customers need help overcoming the �P� word. Procrastination! Procrastination is natural when it comes to making a buying decision. Your customer is trying to avoid [ Read Article]

If You Build It They Will Come, or Will They?

All right, so you invested your time and energy to build your organization a great new web site, but you are not getting quite the results you were hoping for. Few customers are visiting or interacting with you and rarely do you get prospects to contact you through the site. So what can you do to [ Read Article]

Confessions of a Yoga Teacher

The following are questions that Yoga teachers still need to answer, despite overwhelming evidence that Yoga is ?the mother of all health maintenance systems.? Mainstream thought is finally catching up, with the progress Yoga is making, but it has taken 5,000 years for us to get this far. Serio[ Read Article]

Vertical Creep in Search Results :: Should Organic Optimizers be Concerned?

I thought for this week I�d give a summary of some of the more interesting Search Engine Strategies sessions which are currently going on in New York City. I was at SES as a speaker last year in New York and I have to say, there is a wealth of information there even if some of it is contradict[ Read Article]

How to build link popularity fast and free

We all knew that back link or link popularity is a big factor to get good position in any search engines. But building link popularity some times really hard if you don't know how to do it. One of the hardest problem for new webmasters is to get back link to their newly stablis[ Read Article]

Does Chiropractic Care Really Make Sense?

The Role of Chiropractic in Treatment Beyond the Resolution of Symptoms Do you have the same nagging injury that never seems to go away? Are you suffering needlessly with pain? Are you fed up with taking painkillers? Do you want to find out what is causing your pain? If your answer is �ye[ Read Article]

The Economic Implications of Buying Drugs Online

Although the Internet is fairly new (at least to the mainstream) online shopping has grown by leaps and bounds. Now you can buy almost anything you need, from food to fishing equipment, right through your computer. Of course, this has meant that commerce has been forced to adapt to the changing co[ Read Article]

Manning and Manning-Can Either Brother Win the Big One?

It was just over a year ago, after the Colts lost to the Pats in their post-season contest, that Boomer Esiason said on national television, "I think maybe Peyton (Manning) is this generation's Dan Marino." Esiason went on to state that Manning "is a great football player, but he's not going to get[ Read Article]

Branding, Branding, Branding - MSN fails to keep it Straight

Sometimes you see promotions come along and you wonder: did they just do that? The current MSN promotion called msnsearchandwin is a prime example of this. Not only do they use �black hat� or at least �questionable� tactics on the site, but the messaging is inconsistent. In this article [ Read Article]

The New MSN Search Interface :: A positive change or the antithesis of transformation?

Now, instead of wide blue bars there are sleek silver-grey bars. Also, the top bar where the search box is became narrower. To me this makes the page seem less �closed in� and more visually appealing. I now feel as if I can trust the results more because they have more room. I�ve also noti[ Read Article]

Malta Holidays

With Malta visitor numbers static in recent years and facing new competiton from former Eastern Bloc countries offering cheap holidays, the recent announcement by the Maltese government that negotiations were at an advanced stage with two low cost airlines has[ Read Article]

Drug Rehab Treatment Centers as an Experience, not a Punishment

Choosing a drug rehab treatment center is a decision that calls for both negative and positive emotions. Nobody wants addiction to overtake their life to the point that rehab is the necessary step. However, the decision to go to one is something to look forward to, as it is the decision to rebui[ Read Article]

Some ways to improve your king content

There are thousands of articles, books and forum posts which showed that content is king in search engine optimization (SEO). In this article, you can find some ways that can help you improve this king content for your web site. * Content for people first, not for search engines - Some webmaste[ Read Article]

Aerosmith Just Keeps On Rockin�

For over three decades, Aerosmith have been one of rock's most revered and popular bands, crafting classic songs full of raw guitar runs and intensely energetic vocals. The band first reached fame in the 1970�s with a string of hits including "Dream On," "Sweet Emotion" and "Walk This Way." During t[ Read Article]

Chicago Cubs Pitcher Mark Prior Re-signs

After many trips through the rumor mill, Mark Prior accepted the Chicago Cubs� offer on January 27 to a one-year, $3.65 million contract. That is $900,000 more than the salary he would have earned under the contract he voided in November. Since Prior's definitive season in 2003 (18-6), he has cooled[ Read Article]

Social Networking - The Next Great Marketing Medium?

There has been a virtual explosion of social networking sites in the past couple of years. Even the big players like Google, Yahoo and MSN are getting into it. With so much interest in how social networks work, one begins to wonder if there is marketing potential within these social network[ Read Article]

How to choose paid directory for web site listing?

How to choose paid directory for web site listing? Search Engines are the major source of traffic for any website. High search engine ranking can boost number of your visitors and in turn leads to increase in sales. The best way to get top search engine placement is to improve link popularity [ Read Article]

Addiction Treatment Centers Using Experiential Therapies

Life is experience. Substance dependence overtakes a person�s ability to make her own decisions to experience life, and life is no longer actively participated in. Therefore, in overcoming addiction, it is vital to learn to re-experience life. This lesson helps a treatment center resident reint[ Read Article]

The DH: Making Life Tough for AL Pitchers

In 1973 Major League Baseball instituted three rules designed to lessen the power of pitchers and create more offense. One theory at work was that the game needed to be energized and that more hitting would create additional runs and excitement. Both the National and American Leagues lowered th[ Read Article]

Vacation on the Beach the Smart Way

Vacation on the Beach the Smart Way Almost everyone agrees; there is no more relaxing way to vacation than to take it to the beach. For the vacationer/traveler who hasn't considered a beach house rental before, they represent an affordable and fun family oriented alternative. There is an intell[ Read Article]

Malta Holidays and Hotels Buzzed by New Jets

The Rising Cost of Prescription Drugs

If you�re like many Americans, the rising cost of prescription drugs may be costing you your health. In particular, seniors living on a fixed income with no insurance are finding it difficult to pay for necessary prescriptions out-of-pocket, and as a result, may be failing to receive the treatment[ Read Article]

Who's Tops in Hockey and Who's Not

The National Hockey League needs to do more to encourage better coverage of the hockey games. With so many other sports realizing national coverage, the NHL is sometimes forgotten. However, this year, there's a race for the Stanley Cup, and only one is set to win it. But which team will that be? [ Read Article]

The Danger Of Rounding Up Your Debts

Rounding up your debts is one of the biggest dangers to your financial position. It's also one of the easiest ways for your debts to get out of control. This way of thinking is best summed up by the following comment; �I already owe $27500 so what�s another $500. It takes my debt to a nice round [ Read Article]

World Top Stories :

Markets rally after crisis talks

European and Asian stock markets react positively to efforts by world leaders to stem the financial turmoil.

Mbeki seeks to save Zimbabwe deal

Ex-South African President Thabo Mbeki is due in Harare for talks aimed at breaking the political impasse in Zimbabwe.

World 'to fail' on nature target

The world's governments will fail to meet their agreed target of curbing biodiversity loss by 2010, conservationists tell the BBC.

Pakistan hit 'kills 35 Taleban'

Pakistan says its forces have killed 35 Taleban, two days after a suicide attack by the militants in Orakzai province.

Turkish jets bomb Kurds in Iraq

Turkey's military says its planes bombed Kurdish rebels in northern Iraq, in the seventh cross-border raid in recent days.