Jan 11
In this advanced tutorial i will teach you the steps required to create a custom build login/member system with PHP.
The system itself ofcourse has alot of room for improvements, also, it’s very easily expandable, i’ve chosen to work in a modular way, so that if you change something you only have to change it in 1 file. I’ve done this by using functions, this script is a good example of the real power of PHP.
Features:
- Registration
- Lost password
- Various checks on passwords and usernames
- users can change their password
- Passwords are stored in a database with a seed added to it and they have sha1 encryption
- Easy to adjust & use
Requirements:
- Mysql database
- a php & mysql enabled host
- php mail() enabled host
- ftp access to your website
Overview
Steps:
- Creating the mysql table
- Creating a db_connect.inc.php file
- Creating the header.php file
- Creating the footer.php file
- Creating the index.php file
- Creating the login.php file
- Creating the logout.php file
- Creating a function.inc.php file
- Creating the mail.functions.inc.php file
- Creating the display.functions.inc.php file
- Creating the login.functions.inc.php file
- Creating the user.functions.inc.php file
- Creating the validation.functions.inc.php file
- Creating the lostpassword.php file
- Creating the changepassword.php file
- Creating the register.php file
- Creating the activate.php file
Step 1: Creating the mysql table
For this tutorials i presume you already know how to add tables to your database.
Table login (SQL code):
CREATE TABLE `login` (
`loginid` int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`username` varchar(30) NOT NULL,
`password` varchar(50) NOT NULL,
`email` varchar(255) NOT NULL,
`actcode` varchar(45) NOT NULL,
`disabled` tinyint(1) NOT NULL DEFAULT '0',
`activated` tinyint(1) NOT NULL DEFAULT '0',
PRIMARY KEY (`loginid`)
);
`loginid` int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`username` varchar(30) NOT NULL,
`password` varchar(50) NOT NULL,
`email` varchar(255) NOT NULL,
`actcode` varchar(45) NOT NULL,
`disabled` tinyint(1) NOT NULL DEFAULT '0',
`activated` tinyint(1) NOT NULL DEFAULT '0',
PRIMARY KEY (`loginid`)
);
Now let us add the administrator account:
- username: admin
- password: yourpasswordhere
** Change the text yourpassword here with the desired password.
** Change the text youremailhere with your email adress.
SQL query:
INSERT INTO login (username,password,email,activated) value ('admin',sha1(concat('yourpasswordhere','0dAfghRqSTgx')),'youremailhere','1');
The table is now ready, and the administrator account has been added. let us move on to step 2.
Step 2: Creating a db_connect.inc.php file
This file will be used to manage the connection to the database.
File db_connect.inc.php:
<?php
// Database settings
// database hostname or IP. default:localhost
// localhost will be correct for 99% of times
define("HOST", "localhost");
// Database user
define("DBUSER", "dbuser");
// Database password
define("PASS", "dbpass");
// Database name
define("DB", "dbname");
############## Make the mysql connection ###########
$conn = mysql_connect(HOST, DBUSER, PASS) or die('Could not connect !<br />Please contact the site\'s administrator.');
$db = mysql_select_db(DB) or die('Could not connect to database !<br />Please contact the site\'s administrator.');
?>
// Database settings
// database hostname or IP. default:localhost
// localhost will be correct for 99% of times
define("HOST", "localhost");
// Database user
define("DBUSER", "dbuser");
// Database password
define("PASS", "dbpass");
// Database name
define("DB", "dbname");
############## Make the mysql connection ###########
$conn = mysql_connect(HOST, DBUSER, PASS) or die('Could not connect !<br />Please contact the site\'s administrator.');
$db = mysql_select_db(DB) or die('Could not connect to database !<br />Please contact the site\'s administrator.');
?>
Let me explain:
- HOST: this is the location for the database server it can be a hostname or an ip adress. it is usualy localhost.
- DBUSER: this is the database user account used to access the database.
- PASS: this is the password for the database user account.
- DB: this is the name of the database used.
Step 3: Creating the header.php file
File header.php:
<?php
error_reporting(0); // we don't want to see errors on screen
// Start a session
session_start();
require_once ('db_connect.inc.php'); // include the database connection
require_once ("functions.inc.php"); // include all the functions
$seed="0dAfghRqSTgx"; // the seed for the passwords
$domain = "ineedtutorials.com"; // the domain name without http://www.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Complete Member Login / System tutorial - <?php echo $domain; ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
error_reporting(0); // we don't want to see errors on screen
// Start a session
session_start();
require_once ('db_connect.inc.php'); // include the database connection
require_once ("functions.inc.php"); // include all the functions
$seed="0dAfghRqSTgx"; // the seed for the passwords
$domain = "ineedtutorials.com"; // the domain name without http://www.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Complete Member Login / System tutorial - <?php echo $domain; ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
Step 4: Creating the footer.php file
The footer file is included at the bottom of every page, it looks like this:
<hr>
<div id='footer'>Copyright 2007-2008 © <?php echo $domain; ?></div>
</body>
</html>
<div id='footer'>Copyright 2007-2008 © <?php echo $domain; ?></div>
</body>
</html>
Step 5: Creating the index.php file
In this step we will create the homepage of the website, we’ll keep it very basic, only the login will be displayed.
File index.php:
<?php
require_once "header.php";
//content
include "login.php";
// more content
require_once "footer.php";
?>
require_once "header.php";
//content
include "login.php";
// more content
require_once "footer.php";
?>
Step 6: Creating the login.php file
In this step we will make the actual login page, because we want to keep it readable we create some custom build functions that will handle the actual login. So basicly all this page will do is call the functions checkLogin(), show_loginform() and isLoggedIn()
<?php
if (!isLoggedIn())
{
// user is not logged in.
if (isset($_POST['cmdlogin']))
{
// retrieve the username and password sent from login form & check the login.
if (checkLogin($_POST['username'], $_POST['password']))
{
show_userbox();
} else
{
echo "Incorrect Login information !";
show_loginform();
}
} else
{
// User is not logged in and has not pressed the login button
// so we show him the loginform
show_loginform();
}
} else
{
// The user is already loggedin, so we show the userbox.
show_userbox();
}
?>
if (!isLoggedIn())
{
// user is not logged in.
if (isset($_POST['cmdlogin']))
{
// retrieve the username and password sent from login form & check the login.
if (checkLogin($_POST['username'], $_POST['password']))
{
show_userbox();
} else
{
echo "Incorrect Login information !";
show_loginform();
}
} else
{
// User is not logged in and has not pressed the login button
// so we show him the loginform
show_loginform();
}
} else
{
// The user is already loggedin, so we show the userbox.
show_userbox();
}
?>
Step 7: Creating the logout.php file
The logout file will destroy the session and it’s stored information. Afterwards it will redirect the user to the homepage.
File logout.php:
<?php
session_start();
if( session_unregister('loginid') == true && session_unregister('username')==true ) {
session_destroy();
header('Location: index.php');
} else {
unset($_SESSION['loginid']);
unset($_SESSION['username']);
session_destroy();
header('Location: index.php');
}
?>
session_start();
if( session_unregister('loginid') == true && session_unregister('username')==true ) {
session_destroy();
header('Location: index.php');
} else {
unset($_SESSION['loginid']);
unset($_SESSION['username']);
session_destroy();
header('Location: index.php');
}
?>
Step 8: Creating the function.inc.php file
Now we will create a file that will store all our functions, by including this file all our functions will be accessable.
It will help keep track of your functions.
File functions.inc.php:
<?php
require_once("mail.functions.inc.php");
require_once("user.functions.inc.php");
require_once("display.functions.inc.php");
require_once("login.functions.inc.php");
require_once("validation.functions.inc.php");
function generate_code($length = 10)
{
if ($length <= 0)
{
return false;
}
$code = "";
$chars = "abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ123456789";
srand((double)microtime() * 1000000);
for ($i = 0; $i < $length; $i++)
{
$code = $code . substr($chars, rand() % strlen($chars), 1);
}
return $code;
}
?>
require_once("mail.functions.inc.php");
require_once("user.functions.inc.php");
require_once("display.functions.inc.php");
require_once("login.functions.inc.php");
require_once("validation.functions.inc.php");
function generate_code($length = 10)
{
if ($length <= 0)
{
return false;
}
$code = "";
$chars = "abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ123456789";
srand((double)microtime() * 1000000);
for ($i = 0; $i < $length; $i++)
{
$code = $code . substr($chars, rand() % strlen($chars), 1);
}
return $code;
}
?>
Step 9: Creating the mail.functions.inc.php file
This file will contain all functions that we use to send emails.
File mail.functions.inc.php:
<?php
##### Mail functions #####
function sendLostPasswordEmail($username, $email, $newpassword)
{
global $domain;
$message = "
You have requested a new password on http://www.$domain/,
Your new password information:
username: $username
password: $newpassword
Regards
$domain Administration
";
if (sendMail($email, "Your password has been reset.", $message, "no-reply@$domain"))
{
return true;
} else
{
return false;
}
}
function sendMail($to, $subject, $message, $from)
{
$from_header = "From: $from";
if (mail($to, $subject, $message, $from_header))
{
return true;
} else
{
return false;
}
return false;
}
function sendActivationEmail($username, $password, $uid, $email, $actcode)
{
global $domain;
$link = "http://www.$domain/activate.php?uid=$uid&actcode=$actcode";
$message = "
Thank you for registering on http://www.$domain/,
Your account information:
username: $username
password: $password
Please click the link below to activate your account.
$link
Regards
$domain Administration
";
if (sendMail($email, "Please activate your account.", $message, "no-reply@$domain"))
{
return true;
} else
{
return false;
}
}
?>
##### Mail functions #####
function sendLostPasswordEmail($username, $email, $newpassword)
{
global $domain;
$message = "
You have requested a new password on http://www.$domain/,
Your new password information:
username: $username
password: $newpassword
Regards
$domain Administration
";
if (sendMail($email, "Your password has been reset.", $message, "no-reply@$domain"))
{
return true;
} else
{
return false;
}
}
function sendMail($to, $subject, $message, $from)
{
$from_header = "From: $from";
if (mail($to, $subject, $message, $from_header))
{
return true;
} else
{
return false;
}
return false;
}
function sendActivationEmail($username, $password, $uid, $email, $actcode)
{
global $domain;
$link = "http://www.$domain/activate.php?uid=$uid&actcode=$actcode";
$message = "
Thank you for registering on http://www.$domain/,
Your account information:
username: $username
password: $password
Please click the link below to activate your account.
$link
Regards
$domain Administration
";
if (sendMail($email, "Please activate your account.", $message, "no-reply@$domain"))
{
return true;
} else
{
return false;
}
}
?>
Step 10: Creating the display.functions.inc.php file
This file will contain all functions that display a form or a userbox on the page.
For example: It contains the loginform, the HTML code for the userbox, the lostpassword form, …
file: display.functions.inc.php
<?php
#### Display Functions ####
function show_userbox()
{
// retrieve the session information
$u = $_SESSION['username'];
$uid = $_SESSION['loginid'];
// display the user box
echo "<div id='userbox'>
Welcome $u
<ul>
<li><a href='./changepassword.php'>Change Password</a></li>
<li><a href='./logout.php'>Logout</a></li>
</ul>
</div>";
}
function show_changepassword_form(){
echo '<form action="./changepassword.php" method="post">
<fieldset>
<legend>Change Password</legend>
<input type="hidden" value="'.$_SESSION['username'].'" name="username">
<dl>
<dt>
<label for="oldpassword">Current Password:</label>
</dt>
<dd>
<input name="oldpassword" type="password" id="oldpassword" maxlength="15">
</dd>
</dl>
<dl>
<dt>
<label for="password">New Password:</label>
</dt>
<dd>
<input name="password" type="password" id="password" maxlength="15">
</dd>
</dl>
<dl>
<dt>
<label for="password2">Re-type new password:</label>
</dt>
<dd>
<input name="password2" type="password" id="password2" maxlength="15">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="change" type="submit" value="Reset Password">
</p>
</fieldset>
</form>
';
}
function show_loginform($disabled = false)
{
echo '<form name="login-form" id="login-form" method="post" action="./index.php">
<fieldset>
<legend>Please login</legend>
<dl>
<dt><label title="Username">Username: </label></dt>
<dd><input tabindex="1" accesskey="u" name="username" type="text" maxlength="30" id="username" /></dd>
</dl>
<dl>
<dt><label title="Password">Password: </label></dt>
<dd><input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" /></dd>
</dl>
<ul>
<li><a href="./register.php" title="Register">Register</a></li>
<li><a href="./lostpassword.php" title="Lost Password">Lost password?</a></li>
</ul>
<p><input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" ';
if ($disabled == true)
{
echo 'disabled="disabled"';
}
echo ' /></p></fieldset></form>';
}
function show_lostpassword_form(){
echo '<form action="./lostpassword.php" method="post">
<fieldset><legend>Reset Password</legend>
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input name="username" type="text" id="username" maxlength="30">
</dd>
</dl>
<dl>
<dt><label for="email">email:</label></dt>
<dd><input name="email" type="text" id="email" maxlength="255">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="lostpass" type="submit" value="Reset Password">
</p>
</fieldset>
</form>';
}
function show_registration_form(){
echo '<form action="./register.php" method="post">
<fieldset><legend>Register</legend>
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input name="username" type="text" id="username" maxlength="30">
</dd>
</dl>
<dl>
<dt><label for="password">Password:</label></dt>
<dd><input name="password" type="password" id="password" maxlength="15">
</dd>
</dl>
<dl>
<dt><label for="password2">Re-type password:</label></dt>
<dd><input name="password2" type="password" id="password2" maxlength="15">
</dd>
</dl>
<dl>
<dt><label for="email">email:</label></dt>
<dd><input name="email" type="text" id="email" maxlength="255">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="register" type="submit" value="Register">
</p>
</fieldset>
</form>';
}
?>
#### Display Functions ####
function show_userbox()
{
// retrieve the session information
$u = $_SESSION['username'];
$uid = $_SESSION['loginid'];
// display the user box
echo "<div id='userbox'>
Welcome $u
<ul>
<li><a href='./changepassword.php'>Change Password</a></li>
<li><a href='./logout.php'>Logout</a></li>
</ul>
</div>";
}
function show_changepassword_form(){
echo '<form action="./changepassword.php" method="post">
<fieldset>
<legend>Change Password</legend>
<input type="hidden" value="'.$_SESSION['username'].'" name="username">
<dl>
<dt>
<label for="oldpassword">Current Password:</label>
</dt>
<dd>
<input name="oldpassword" type="password" id="oldpassword" maxlength="15">
</dd>
</dl>
<dl>
<dt>
<label for="password">New Password:</label>
</dt>
<dd>
<input name="password" type="password" id="password" maxlength="15">
</dd>
</dl>
<dl>
<dt>
<label for="password2">Re-type new password:</label>
</dt>
<dd>
<input name="password2" type="password" id="password2" maxlength="15">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="change" type="submit" value="Reset Password">
</p>
</fieldset>
</form>
';
}
function show_loginform($disabled = false)
{
echo '<form name="login-form" id="login-form" method="post" action="./index.php">
<fieldset>
<legend>Please login</legend>
<dl>
<dt><label title="Username">Username: </label></dt>
<dd><input tabindex="1" accesskey="u" name="username" type="text" maxlength="30" id="username" /></dd>
</dl>
<dl>
<dt><label title="Password">Password: </label></dt>
<dd><input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" /></dd>
</dl>
<ul>
<li><a href="./register.php" title="Register">Register</a></li>
<li><a href="./lostpassword.php" title="Lost Password">Lost password?</a></li>
</ul>
<p><input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" ';
if ($disabled == true)
{
echo 'disabled="disabled"';
}
echo ' /></p></fieldset></form>';
}
function show_lostpassword_form(){
echo '<form action="./lostpassword.php" method="post">
<fieldset><legend>Reset Password</legend>
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input name="username" type="text" id="username" maxlength="30">
</dd>
</dl>
<dl>
<dt><label for="email">email:</label></dt>
<dd><input name="email" type="text" id="email" maxlength="255">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="lostpass" type="submit" value="Reset Password">
</p>
</fieldset>
</form>';
}
function show_registration_form(){
echo '<form action="./register.php" method="post">
<fieldset><legend>Register</legend>
<dl>
<dt><label for="username">Username:</label></dt>
<dd><input name="username" type="text" id="username" maxlength="30">
</dd>
</dl>
<dl>
<dt><label for="password">Password:</label></dt>
<dd><input name="password" type="password" id="password" maxlength="15">
</dd>
</dl>
<dl>
<dt><label for="password2">Re-type password:</label></dt>
<dd><input name="password2" type="password" id="password2" maxlength="15">
</dd>
</dl>
<dl>
<dt><label for="email">email:</label></dt>
<dd><input name="email" type="text" id="email" maxlength="255">
</dd>
</dl>
<p>
<input name="reset" type="reset" value="Reset">
<input name="register" type="submit" value="Register">
</p>
</fieldset>
</form>';
}
?>
Step 11: Creating the login.functions.inc.php file
This file will contain the login functions
file: login.functions.inc.php
<?php
#### Login Functions #####
function isLoggedIn()
{
if (session_is_registered('loginid') && session_is_registered('username'))
{
return true; // the user is loged in
} else
{
return false; // not logged in
}
return false;
}
function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file
if (!valid_username($u) || !valid_password($p) || !user_exists($u))
{
return false; // the name was not valid, or the password, or the username did not exist
}
//Now let us look for the user in the database.
$query = sprintf("
SELECT loginid
FROM login
WHERE
username = '%s' AND password = '%s'
AND disabled = 0 AND activated = 1
LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
$result = mysql_query($query);
// If the database returns a 0 as result we know the login information is incorrect.
// If the database returns a 1 as result we know the login was correct and we proceed.
// If the database returns a result > 1 there are multple users
// with the same username and password, so the login will fail.
if (mysql_num_rows($result) != 1)
{
return false;
} else
{
// Login was successfull
$row = mysql_fetch_array($result);
// Save the user ID for use later
$_SESSION['loginid'] = $row['loginid'];
// Save the username for use later
$_SESSION['username'] = $u;
// Now we show the userbox
return true;
}
return false;
}
?>
#### Login Functions #####
function isLoggedIn()
{
if (session_is_registered('loginid') && session_is_registered('username'))
{
return true; // the user is loged in
} else
{
return false; // not logged in
}
return false;
}
function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file
if (!valid_username($u) || !valid_password($p) || !user_exists($u))
{
return false; // the name was not valid, or the password, or the username did not exist
}
//Now let us look for the user in the database.
$query = sprintf("
SELECT loginid
FROM login
WHERE
username = '%s' AND password = '%s'
AND disabled = 0 AND activated = 1
LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
$result = mysql_query($query);
// If the database returns a 0 as result we know the login information is incorrect.
// If the database returns a 1 as result we know the login was correct and we proceed.
// If the database returns a result > 1 there are multple users
// with the same username and password, so the login will fail.
if (mysql_num_rows($result) != 1)
{
return false;
} else
{
// Login was successfull
$row = mysql_fetch_array($result);
// Save the user ID for use later
$_SESSION['loginid'] = $row['loginid'];
// Save the username for use later
$_SESSION['username'] = $u;
// Now we show the userbox
return true;
}
return false;
}
?>
Step 12: Creating the user.functions.inc.php file
This file will contain the user functions
file: user.functions.inc.php
<?php
##### User Functions #####
function changePassword($username,$currentpassword,$newpassword,$newpassword2){
global $seed;
if (!valid_username($username) || !user_exists($username))
{
return false;
}
if (! valid_password($newpassword) || ($newpassword != $newpassword2)){
return false;
}
// we get the current password from the database
$query = sprintf("SELECT password FROM login WHERE username = '%s' LIMIT 1",
mysql_real_escape_string($username));
$result = mysql_query($query);
$row= mysql_fetch_row($result);
// compare it with the password the user entered, if they don't match, we return false, he needs to enter the correct password.
if ($row[0] != sha1($currentpassword.$seed)){
return false;
}
// now we update the password in the database
$query = sprintf("update login set password = '%s' where username = '%s'",
mysql_real_escape_string(sha1($newpassword.$seed)), mysql_real_escape_string($username));
if (mysql_query($query))
{
return true;
}else {return false;}
return false;
}
function user_exists($username)
{
if (!valid_username($username))
{
return false;
}
$query = sprintf("SELECT loginid FROM login WHERE username = '%s' LIMIT 1",
mysql_real_escape_string($username));
$result = mysql_query($query);
if (mysql_num_rows($result) > 0)
{
return true;
} else
{
return false;
}
return false;
}
function activateUser($uid, $actcode)
{
$query = sprintf("select activated from login where loginid = '%s' and actcode = '%s' and activated = 0 limit 1",
mysql_real_escape_string($uid), mysql_real_escape_string($actcode));
$result = mysql_query($query);
if (mysql_num_rows($result) == 1)
{
$sql = sprintf("update login set activated = '1' where loginid = '%s' and actcode = '%s'",
mysql_real_escape_string($uid), mysql_real_escape_string($actcode));
if (mysql_query($sql))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
}
function registerNewUser($username, $password, $password2, $email)
{
global $seed;
if (!valid_username($username) || !valid_password($password) ||
!valid_email($email) || $password != $password2 || user_exists($username))
{
return false;
}
$code = generate_code(20);
$sql = sprintf("insert into login (username,password,email,actcode) value ('%s','%s','%s','%s')",
mysql_real_escape_string($username), mysql_real_escape_string(sha1($password . $seed))
, mysql_real_escape_string($email), mysql_real_escape_string($code));
if (mysql_query($sql))
{
$id = mysql_insert_id();
if (sendActivationEmail($username, $password, $id, $email, $code))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
return false;
}
function lostPassword($username, $email)
{
global $seed;
if (!valid_username($username) || !user_exists($username) || !valid_email($email))
{
return false;
}
$query = sprintf("select loginid from login where username = '%s' and email = '%s' limit 1",
$username, $email);
$result = mysql_query($query);
if (mysql_num_rows($result) != 1)
{
return false;
}
$newpass = generate_code(8);
$query = sprintf("update login set password = '%s' where username = '%s'",
mysql_real_escape_string(sha1($newpass.$seed)), mysql_real_escape_string($username));
if (mysql_query($query))
{
if (sendLostPasswordEmail($username, $email, $newpass))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
return false;
}
?>
##### User Functions #####
function changePassword($username,$currentpassword,$newpassword,$newpassword2){
global $seed;
if (!valid_username($username) || !user_exists($username))
{
return false;
}
if (! valid_password($newpassword) || ($newpassword != $newpassword2)){
return false;
}
// we get the current password from the database
$query = sprintf("SELECT password FROM login WHERE username = '%s' LIMIT 1",
mysql_real_escape_string($username));
$result = mysql_query($query);
$row= mysql_fetch_row($result);
// compare it with the password the user entered, if they don't match, we return false, he needs to enter the correct password.
if ($row[0] != sha1($currentpassword.$seed)){
return false;
}
// now we update the password in the database
$query = sprintf("update login set password = '%s' where username = '%s'",
mysql_real_escape_string(sha1($newpassword.$seed)), mysql_real_escape_string($username));
if (mysql_query($query))
{
return true;
}else {return false;}
return false;
}
function user_exists($username)
{
if (!valid_username($username))
{
return false;
}
$query = sprintf("SELECT loginid FROM login WHERE username = '%s' LIMIT 1",
mysql_real_escape_string($username));
$result = mysql_query($query);
if (mysql_num_rows($result) > 0)
{
return true;
} else
{
return false;
}
return false;
}
function activateUser($uid, $actcode)
{
$query = sprintf("select activated from login where loginid = '%s' and actcode = '%s' and activated = 0 limit 1",
mysql_real_escape_string($uid), mysql_real_escape_string($actcode));
$result = mysql_query($query);
if (mysql_num_rows($result) == 1)
{
$sql = sprintf("update login set activated = '1' where loginid = '%s' and actcode = '%s'",
mysql_real_escape_string($uid), mysql_real_escape_string($actcode));
if (mysql_query($sql))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
}
function registerNewUser($username, $password, $password2, $email)
{
global $seed;
if (!valid_username($username) || !valid_password($password) ||
!valid_email($email) || $password != $password2 || user_exists($username))
{
return false;
}
$code = generate_code(20);
$sql = sprintf("insert into login (username,password,email,actcode) value ('%s','%s','%s','%s')",
mysql_real_escape_string($username), mysql_real_escape_string(sha1($password . $seed))
, mysql_real_escape_string($email), mysql_real_escape_string($code));
if (mysql_query($sql))
{
$id = mysql_insert_id();
if (sendActivationEmail($username, $password, $id, $email, $code))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
return false;
}
function lostPassword($username, $email)
{
global $seed;
if (!valid_username($username) || !user_exists($username) || !valid_email($email))
{
return false;
}
$query = sprintf("select loginid from login where username = '%s' and email = '%s' limit 1",
$username, $email);
$result = mysql_query($query);
if (mysql_num_rows($result) != 1)
{
return false;
}
$newpass = generate_code(8);
$query = sprintf("update login set password = '%s' where username = '%s'",
mysql_real_escape_string(sha1($newpass.$seed)), mysql_real_escape_string($username));
if (mysql_query($query))
{
if (sendLostPasswordEmail($username, $email, $newpass))
{
return true;
} else
{
return false;
}
} else
{
return false;
}
return false;
}
?>
Step 13: Creating the validation.functions.inc.php file
This file will contain the validation functions, these function will validate the user input to see if it’s valid and doesn’t contain any illegal characters.
file: validation.functions.inc.php
<?php
#### Validation functions ####
function valid_email($email)
{
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email))
{
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++)
{
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i]))
{
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1]))
{ // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2)
{
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++)
{
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i]))
{
return false;
}
}
}
return true;
}
function valid_username($username, $minlength = 3, $maxlength = 30)
{
$username = trim($username);
if (empty($username))
{
return false; // it was empty
}
if (strlen($username) > $maxlength)
{
return false; // to long
}
if (strlen($username) < $minlength)
{
return false; //toshort
}
$result = ereg("^[A-Za-z0-9_\-]+$", $username); //only A-Z, a-z and 0-9 are allowed
if ($result)
{
return true; // ok no invalid chars
} else
{
return false; //invalid chars found
}
return false;
}
function valid_password($pass, $minlength = 6, $maxlength = 15)
{
$pass = trim($pass);
if (empty($pass))
{
return false;
}
if (strlen($pass) < $minlength)
{
return false;
}
if (strlen($pass) > $maxlength)
{
return false;
}
$result = ereg("^[A-Za-z0-9_\-]+$", $pass);
if ($result)
{
return true;
} else
{
return false;
}
return false;
}
?>
#### Validation functions ####
function valid_email($email)
{
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email))
{
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++)
{
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i]))
{
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1]))
{ // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2)
{
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++)
{
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i]))
{
return false;
}
}
}
return true;
}
function valid_username($username, $minlength = 3, $maxlength = 30)
{
$username = trim($username);
if (empty($username))
{
return false; // it was empty
}
if (strlen($username) > $maxlength)
{
return false; // to long
}
if (strlen($username) < $minlength)
{
return false; //toshort
}
$result = ereg("^[A-Za-z0-9_\-]+$", $username); //only A-Z, a-z and 0-9 are allowed
if ($result)
{
return true; // ok no invalid chars
} else
{
return false; //invalid chars found
}
return false;
}
function valid_password($pass, $minlength = 6, $maxlength = 15)
{
$pass = trim($pass);
if (empty($pass))
{
return false;
}
if (strlen($pass) < $minlength)
{
return false;
}
if (strlen($pass) > $maxlength)
{
return false;
}
$result = ereg("^[A-Za-z0-9_\-]+$", $pass);
if ($result)
{
return true;
} else
{
return false;
}
return false;
}
?>
Step 14: Creating the lostpassword.php file
When the user lost his password he can request a new temporary password. He has to enter his username and his password, if they are correct his password will be reset to a radom generated password and an email will be sent containing this new password, the user can use this password to login and change its password.
file: lostpassword.php
<?php
require_once "header.php";
if (isset($_POST['lostpass'])){
if (lostPassword($_POST['username'], $_POST['email'])){
echo "Your password has been reset, an email containing your new password has been sent to your inbox.<br />
<a href='./index.php'>Click here to return to the homepage.</a>
";
}else {
echo "Username or email was incorrect !";
show_lostpassword_form();
}
} else {
//user has not pressed the button
show_lostpassword_form();
}
require_once "footer.php";
?>
require_once "header.php";
if (isset($_POST['lostpass'])){
if (lostPassword($_POST['username'], $_POST['email'])){
echo "Your password has been reset, an email containing your new password has been sent to your inbox.<br />
<a href='./index.php'>Click here to return to the homepage.</a>
";
}else {
echo "Username or email was incorrect !";
show_lostpassword_form();
}
} else {
//user has not pressed the button
show_lostpassword_form();
}
require_once "footer.php";
?>
Step 15: Creating the changepassword.php file
On this page the user can change his password, ofcouse he has to be logged in first. He will also have to enter his old password.
file: changepassword.php
<?php
require_once "header.php";
if (isLoggedIn() == true)
{
if (isset($_POST['change']))
{
if (changePassword($_POST['username'], $_POST['oldpassword'], $_POST['password'],
$_POST['password2']))
{
echo "Your password has been changed ! <br /> <a href='./index.php'>Return to homepage</a>";
} else
{
echo "Password change failed! Please try again.";
show_changepassword_form();
}
} else
{
show_changepassword_form();
}
} else {
// user is not loggedin
show_loginform();
}
require_once "footer.php";
?>
require_once "header.php";
if (isLoggedIn() == true)
{
if (isset($_POST['change']))
{
if (changePassword($_POST['username'], $_POST['oldpassword'], $_POST['password'],
$_POST['password2']))
{
echo "Your password has been changed ! <br /> <a href='./index.php'>Return to homepage</a>";
} else
{
echo "Password change failed! Please try again.";
show_changepassword_form();
}
} else
{
show_changepassword_form();
}
} else {
// user is not loggedin
show_loginform();
}
require_once "footer.php";
?>
Step 16: Creating the register.php file
On this page users can create an account.
file: register.php
<?php
require_once "header.php";
if (isset($_POST['register'])){
if (registerNewUser($_POST['username'], $_POST['password'], $_POST['password2'], $_POST['email'])){
echo "Thank you for registering, an email has been sent to your inbox, Please activate your account.
<a href='./index.php'>Click here to login.</a>
";
}else {
echo "Registration failed! Please try again.";
show_registration_form();
}
} else {
// has not pressed the register button
show_registration_form();
}
require_once "footer.php";
?>
require_once "header.php";
if (isset($_POST['register'])){
if (registerNewUser($_POST['username'], $_POST['password'], $_POST['password2'], $_POST['email'])){
echo "Thank you for registering, an email has been sent to your inbox, Please activate your account.
<a href='./index.php'>Click here to login.</a>
";
}else {
echo "Registration failed! Please try again.";
show_registration_form();
}
} else {
// has not pressed the register button
show_registration_form();
}
require_once "footer.php";
?>
Step 17: Creating the activate.php file
On this page users can activate their account.
file: activate.php
<?php
require_once "header.php";
$uid = (int)htmlentities(strip_tags($_GET['uid']));
$actcode = htmlentities(strip_tags($_GET['actcode']));
if (activateUser($uid, $actcode) == true)
{
echo "Thank you for activating your account, You can now login.
<a href='./index.php'>Click here to login.</a>";
} else
{
echo "Activation failed! Please try again.";
echo "If problem presists please contact the webmaster.";
}
require_once "footer.php";
?>
require_once "header.php";
$uid = (int)htmlentities(strip_tags($_GET['uid']));
$actcode = htmlentities(strip_tags($_GET['actcode']));
if (activateUser($uid, $actcode) == true)
{
echo "Thank you for activating your account, You can now login.
<a href='./index.php'>Click here to login.</a>";
} else
{
echo "Activation failed! Please try again.";
echo "If problem presists please contact the webmaster.";
}
require_once "footer.php";
?>
Can we get this tutorial fixed? I’ce started but well, as you can see its borked up in the posting. I’ve messed with a few user system scripts and wanted to see how this one turned out, and how easily modified it is for something i need one for. Thanks
Woops, Sorry for the messup
– fixed –
Hey, i have tried this out, and everything seemed fine, but when i try to login with user and password, i just get that i have the wrong login information.. even tried to resetting the password and login with that, but still just getting “Incorrect Login information !”, any suggestions?
[…] ineedtutorials.com han publicado un interesantísimo tutorial con los pasos a seguir para montar un completo sistema […]
I couldn’t understand some parts of this article o.us poetry, but I guess I just need to check some more resources regarding this, because it sounds interesting.
hey welldone for the script,but i think you have some small misktakes for example when you go to register and on register i think you hadt misktake in the file becuase it is register.php thanks very much
Hey i think you have a mistake in the registersection when you go register its becoming the same page becuase the link is register.php
someone can replay back with the mistakes thanks
asd
Hello
I published a post of a login member system in ajax
If someone is interested, this is the url:
http://www.recursosdelweb.com/como-hacer-un-sistema-de-login-en-ajax-y-php/
bye!
This doesent work…
# Ray Said,
Hey, i have tried this out, and everything seemed fine, but when i try to login with user and password, i just get that i have the wrong login information.. even tried to resetting the password and login with that, but still just getting “Incorrect Login information !”, any suggestions?
____
I have the same problem! Help me.
I’ve tested out the script and everything seems to work fine here.
I did found an error in the SQL query that inserts the admin account, it was not activated by default, that’s fixed now.
If it’s still not working try echo’ing some things in the checklogin function, but again the script should work fine, make sure you have copy/pasted everything correctly.
* Sorry for my late respons i have exames for the moment.
Some people have mentioned that there are errors in the script on this page. Have these errors been corrected yet?
@ jim
I’ve re-tested the entire script. works perfectly here. so i guess all errors are gone.
Can I know at least who are registered after this script is work? When I login as admin I just saw
Welcome Admin and change password then logout. I wonder how to check member
Can I know at least who are registered after this script is work? When I login as admin I just saw
Welcome Admin and change password then logout. I wonder how to check member?
Hey I’m new to advance PHP programming, and I don’t know to much sql.
so what are you supposed to do with the SQL query. do I make a file
or something?
[…] entry was written by admin. Bookmark the permalink. Follow any comments here with the RSS feed for this post.Content related […]
This script doesnt work at all for me, i have copy n pasted several times and all i get on the index page is a white screen, it seems as if the display functions file isnt working?
seems as if a bracket like } is missing on your file
Hi
This does not work for me, I cant
login, nor can I create a new account.
The only thing that does seem to work
is the “lost password” part.
I noticed a few people have had this
problem, have you fixed the probem?
If yes can you please tell me how you
fixed it.
Thanks
Hi out there… I need a bit help over here, i even cant see the login formular? Im a little noobie, but plz help me :).. IT tell me a error in login.php:
Fatal error: Call to undefined function isloggedin() in C:\xampp\htdocs\MoreAdvanced\login.php on line 10 - and this error in logout.php :
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\MoreAdvanced\logout.php:9) in C:\xampp\htdocs\MoreAdvanced\logout.php on line 10
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\MoreAdvanced\logout.php:9) in C:\xampp\htdocs\MoreAdvanced\logout.php on line 10
Plz help me guys…
this tutorial is great and every thing works 4 me, but i would like some help i dont want someone register with the same email more then once. I was wondering how can i validate that an email already exist in my database?
I cannot seem to get the e-mails to work. Whenever I register a name, I see it appears in the DB, but it still says “Registration failed! Please try again.” and doesn’t send the e-mail… so I am assuming that it fails b/c the e-mail is false. any help?
hi, no display at all. i don’t know how to track error and fix em. how to make errors to display?
@ header.php
what is the difference of a ‘ and ” ??
require_once (’db_connect.inc.php’); // include the database connection
require_once (”functions.inc.php”); // include all the function
tnx!
Use a Select funtion to check for an exit email address
need help creating member oriented website using PHP and xhtml.
This is great!
At first all I could get was a blank screen - it turned out
I had named a file incorrectly.
Then it wouldn’t let me register. I tried sniffing out any errors but the
logic here is pretty flawless.
Turns out:
The problem was an ID-10T error. It’s easy to fix just follow the directions heh.
Thank you,
great example it really helps thank you
Hmm sometimes it’ll get some errors there,i wonder why?
@ Sharpie
I got the same error, and then I noticed that the passwords have to be AT LEAST 6 characters long (I was using a 4 character password) once I used one with 6 characters it worked perfectly, so when you create the “login” table and input your info, try using 123456 or something like that for password, same for registering new users. Hopefully it will work for you.
@admin
thanks for the script, it’s a great, great piece of code… I don’t know if the password being 6 characters long is actually a requirement (haven’t analyzed the code yet) but if it is, a note would definetly help newbies like mtyself haha, again thanks! script like this really help us get to new levels of PHP understanding.
You made a little error on step 14. On the description you say you have to enter in the username and password in order to change your lost password. I know you meant email, because it reflects in the code, but It kinda threw me off lol
Very nice tutorial!
Easy to understand, modify and use!
Keep em’ coming!
hi,
i try execute this below programme and also i create the database but it
not work.
<?php
// Database settings
// database hostname or IP. default:localhost
// localhost will be correct for 99% of times
define(”HOST”, “localhost”);
// Database user
define(”DBUSER”, “md5″);
// Database password
define(”PASS”, “logical”);
// Database name
define(”DB”, “info”);
############## Make the mysql connection ###########
$conn = mysql_connect(HOST, DBUSER, PASS);
if (!$conn)
{
// the connection failed so quit the script
die(’Could not connect !Please contact the site\’s administrator.’);
}
$db = mysql_select_db(DB);
if (!$db)
{
// cannot connect to the database so quit the script
die(’Could not connect to database !Please contact the site\’s administrator.’);
}
?>
i try to excute this on to Wamp but it gives me an error.
***Warning: mysql_connect() [function.mysql-connect]: Access denied for user ‘md5′@’localhost’ (using password: YES) in C:\wamp\www\db_connect.inc.php on line 14
Could not connect !
Please contact the site’s administrator.***
please help me
nikee
I got the problem with the blank index page. My MySql connection is correct but I got a problem with the index.php file I only se a white page and nothing else? can anyone help me?
Thinks I done:
I have checkt all the file names and there is no fauæt with those they are all correct.
I can se everything now but I now got two new problems
that I need some help with. First I got the same problem as some of they other users I get the message that the user account is not made even thoe it is. My second problem is that I am having some problems with the login function I can se the user accounts in my database but when I try to login I get the message that I have enter the wrong information even thoe I know that it is the rigt information.
Hope someone can find the time to help this sad panda.
nikee try this one. open the file db_connect.inc.php, and replace it
with this codes.
note* if your running it at local installation dont change the $hostname.
follow this codes.
$hostname=”localhost”; // don’t change
$mysql_login=”root”; // don’t change
$mysql_password=”"; leave it blank
$database=”database_name”;
if (!($db = mysql_connect($hostname, $mysql_login , $mysql_password))){
die(”Can’t connect to mysql.”);
}else{
if (!(mysql_select_db(”$database”,$db))) {
die(”Can’t connect to db.”);
}
}
@ Lars
hey mate, for the blank pages… make sure there are NO additional spaces or characters in your files as this will fault the Session starts… depending on PHP error reporting settings this will either show the error or through in a blank page. Otherwise check the other php settings, especially module settings, might be that some register faulty, causing the php engine to crap out.
On the user registration.. make sure you register your users with a 6 character password… this will remove the users not showing in the admin login and get the logon working for the users.
In general, although php error reporting settings should not through the script off, to see if php settings are the problem, make sure your PHP error reporting is set to default…
I am still new with PHP, have followed this tutorial closely and am running into a problem. I made all pages as it says in tutorial. The db connection settings are correct, put everything on the site. when going to the site it is asking me if I want to save the file or find a program on the internet to open it. What have I done wrong? In one of the other tutorials I followed for a login I had the same problem and found that “try true” had to be in the url, that got the page to load on that tutorial but then the rest of the script was broken. Any help in getting this fixed would be appreciated.
One of the best tuts on the net regarding authentication. I used it as a base for building a very complex register and login application for my project. Most problems i read about here is about missing semicolons “;” i bet
- or errors in code added that is not part of this tutorial, or errors regarding special contidions on the users servers.
Well done mate. You saved me for 2 months of reading.
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/ubiquese/public_html/login/logout.php:1) in /home/ubiquese/public_html/login/logout.php on line 2
Warning: Cannot modify header information - headers already sent by (output started at /home/ubiquese/public_html/login/logout.php:1) in /home/ubiquese/public_html/login/logout.php on line 5
Any clues??????
hay soporte en español????
Hi,
got the same problem as a 24. Sharpie. How I can Use a Select funtion to check for an exit email address? I use free hosting. That can be a reason why is it not working??? Thx
Hola www.grupobacco.com/php no me resulta alguien puede ayudarme ?
hey I have copy and paste the codes! everything seems to me fine but whenever I run the index.php it show me blank screen!
Also if I want to run login.php it show me error named:Fatal error: Call to undefined function isloggedin() in C:\xampp\htdocs\ad-login\login.php on line 2
pls help me ASAP!! It’s urgent!!
dear admin, pls give me a solution! I think a lot of people faced this problem! pls help me about this regard!
I have exactly the same error as @Hasnat…
Plz admin help us…
@hasnat, if you have the answer can you tell me plz
tanks,
ORiOn
hello nice site!
http://theodorejlacour52.blogspot.com
Can someone that has this working send me the files in a zip file? I still got the problem with the message that the user account is not made even thoe it is. My second problem is that I am having some problems with the login function I can se the user accounts in my database but when I try to login I get the message that I have enter the wrong information even thoe I know that it is the rigt information.
@ADMIN
Yo !
Great script
Just wondering what kind of licience or rights we have to it.
Des
This is great
script is not working for me. it is showing blank page on index.php and
Fatal error: Call to undefined function: isloggedin()
in /XXX/XXX/public_html/XXX/member/login.php on line 2
in login.php file.
vRFZLq fw831f64td9glse934dkjga
i had the same problems,do exactly what it says and copy it,there is a minimum limit on the password to 6 so make sure its more than six characters long.Also ont eh db_connect form change the domain name to yours for the validation to work.
Add A Comment