How to determine if the username and password entered is a match with PHP and MySQL

Home > Search > How-to
  by

This series is intended to be followed in chronological order.  If you have not followed the previous tutorial on how to secure private Web pages using PHP Sessions, you may need to read the previous tutorial first.

In the previous tutorial, we explained how a Session ID could be used to decide if a user is allowed or is not allowed to access our private pages edit_content.php or admin.php.  In this tutorial, we assume the user attempted to access edit_content.php or admin.php, and the user did not have a cookie on their computer that matched a Session ID on the server, thus the user was directed to the authentication_signin.php page.

The authentication_signin.php page will consist of a form where the user will enter their username and password.  This is the minimal code required in the username and password form.

<form method="get" action="authentication_check.php">
<input type="text" id="myusername">
<input type="password" id="mypassword">
<button>Submit</button>
</form>

Notice the action of this form is authentication_check.php.  What happens here is the username and password entered are passed to the authentication_check.php file.  Following is the code for the authentication_check.php file.

<?php

//variables
$con = new mysqli('mysql_domain', 'mysql_username', 'mysql_password', 'authentication');
$admin = $_GET['admin'];
$salt = "Vj4nvTK94nvj5skdfjFD";
$myusername = mysqli_real_escape_string($con, $_GET['myusername'];
$mypassword = mysqli_real_escape_string($con, $_GET['mypassword'].$salt;
$encrypt_password = sha1($mypassword);
$user_pass_verification = "select count(*) from users where username='$myusername' and password='$encrypt_mypassword' ";
$user_pass_verification_query = mysqli_query($con,$user_pass_verification);


//execution logic
while($row = mysqli_fetch_array($user_pass_verification_query)) {
 if($row[0]==1 & $admin == 'yes') {$_SESSION['id'] = session_id(); header("location:admin.php");
 elseif($row[0]==1 & $admin == 'no') {$_SESSION['id'] = session_id(); header("location:edit_content.php");
 else{header("location:authentication_signin.php");}
}

?>

The execution logic of this code has three possible actions.

  1. If the username and password are in the MySQL database and admin=yes, the user is redirected to the admin.php page.
  2. If the username and password are in the MySQL database and admin=no, the user is redirected to the edit_content.php page.
  3. If the username and password are not in the MySQL database, the user is redirected to the authentication_signin.php page.

This code also enrypts and the password using SHA1, and salts the password with random data.  Further down in this article we will explain the purpose of SHA1 encrypting and salt.

Because this logic check the MySQL authentication database and users table for the username and password, our next task is to set up the MySQL authentication database and users table. Enter the following command into a Linux Terminal to create the MySQL authentication database and users table.  This also inserts a test username and password.

jeremy@jeremy ~ $ create database authentication;

jeremy@jeremy ~ $ create table users (
id INT(11) not null primary key auto_increment,
username VARCHAR(50) not null,
password VARCHAR(50) not null
);

If we were not using SHA1 to encrypt our password and salting the password, we could insert a dummy username and password in our users table, such as TESTUSER and PASSWORD123 and sign in with TESTUSER and PASSWORD123.  However, because we are encrypting and salting our password, we will be unable to sign in with PASSWORD123.  We need to determine what the encrypted and salted output of PASSWORD123 will be.  The following code will give us the encrypted and salted password.

<?php
$password = "PASSWORD123";
$salt = "Vj4nvTK94nvj5skdfjFD";
$sha1 = sha1($password.$salt);
echo $sha1;
?>

We could save this code as a web page, such as password_generator.php.  Then, load the page in a Web browser, and it will output the encrypted and salted password, which will be something like 02c85a6edbcbea475fa5583ccd8323415a6c2db2.  What we want to do now is to insert the username TESTUSER and the enrypted password 02c85a6edbcbea475fa5583ccd8323415a6c2db2 in the MySQL database.  Enter these commands to insert TESTUSER and in the MySQL database.

jeremy@jeremy ~ $ insert into users
(username, password)
VALUES
("TESTUSER", "02c85a6edbcbea475fa5583ccd8323415a6c2db2 ");

Now when attempting to sign in with TESTUSER and PASSWORD123, the username and password will match the records in the MySQL database, and the user will be authenthenticated, assigned a session ID number, and directed to either the admin.php or edit_content.php page.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments