After being hacked yesterday I thought it would be a good idea to write a tutorial on how to make a secure login page in php.

1) The Database

First off you will need to create a database table:

CREATE TABLE `users` (
  `ID` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
  `user_login` varchar(60)  NOT NULL DEFAULT '',
  `user_pass` varchar(60)  NOT NULL DEFAULT '',
  `display_name` varchar(50)  NOT NULL DEFAULT '',
  PRIMARY KEY  (`ID`),
  KEY `user_login_key` (`user_login`)
);

As you can see we have different fields for login and display name. This is important as later on we are going to md5 the username and password. Md5 is commonly used in php to encode strings.

2) The HTML

Nothing fancy has to be done with the HTML. A standard login form will do.

<form action="login.php" method="post">
Username: <input type="text" name="user" size="50"  /><br />
Password: <input type="password" name="pass" size="50"  /><br />
<input type="submit" name="submit" value="Login"  />
</form>

3) The PHP

Now the good part. Here is how you should validate your php. Login.php is as follows:

<?
$username = md5(strip_tags($_POST['user']));
$password = md5(strip_tags($_POST['pass']));
 
$db = mysql_connect("dbuser","dbpass","localhost");
$result = mysql_query(sprintf("SELECT * FROM users WHERE user_login='%s' AND user_pass='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)));
if(mysql_num_rows($result) > 0){
	//Do whatever here as they are logged in
        header("Location: private.php");
}
header("Location: public.php");
?>

A few things here.

• We use the php strip_tags function to strip any HTML tags from the input. This is mainly to stop XSS.
• We then md5 both the user and pass variables. This adds extra security by covering up the users login and password. Also users can have a different display name from login name which makes hackers lives that wee bit harder. Using md5 for at least the password field is good practice so no one can easily steal it, even if they get access to the database.
• Finally we use the php mysql_real_escape_string function to escape special characters in a string for use in a SQL statement. This is to stop SQL Injection.

One of the major mistakes rookie web developers make is to mess up with mysql_real_escape_string(), by not using it, but using instead addslashes. And when they do it right they forget to do quote paring. So remember to use mysql_real_escape_string(). If you want to read more into the issues surrounding website security why not have a look at security through obscurity and security by design.

Conclusion

So I hope that is of some use to people. I have definitely learned my lesson when it comes to securing user inputs. This code won’t be full proof and a good hacker might still be able to get round it. But it makes their lives a whole lot harder. If you have any ideas or comments on how to make this even safer, or even share an experience where you have been hacked, please leave a comment below.