Follow these scripts that you find online.
All it boils down to is:
- Signup page to gather user details, upon save check each field is valid (ie. use regular expressions to check email address is valid), also check all required fields are completed
- If the above all checks out, then save to database AFTER you have sanitized the data (we don’t want any SQL injections now!)
- I’d recommend at least saving the password as a hash, so use something like
md5()
and i’d use a salt key too (so something like MD5($password.$salt)) – the SALT can be a timestamp of when the user signed up, a random string of letters/numbers (which I’d recommend) – and save this as well in the database. - When the user signs in, sanitize the data, check username exists and grab the salt key of that matching entry, then MD5 the incoming password with the SALT key and see if the strings match
- Save some kind of flag to $_SESSION, eg.
$_SESSION['loggedin'] = true;
then at the top of each protected page you can do some like in the example below - You could also then save a timestamp (
time()
) or datetime (date("Y-m-d H:i:s")
) to the database under a column labelled last_logged_in
I know this isn’t a load of code but it forms a basic guide to get you started
Example For Above
if($_SESSION['loggedin'] !== true){
header("Location: login.php");
exit;
} else {
// rest of protected page
}
2
solved Password protection, while keeping track of who is who [closed]