Free2Code
Tutorials » Browse » PHP
Tutorials - Creating a PHP Login Script - Check if they are "logged in"
This article written by
  OldSite

Member since
  October 11, 2006

This script will assign a variable, $logged_in to either 1 (if they are logged in), or 0 if they aren’t. We can then use this variable in our scripts. A few points:

  • We are going to use $_SESSION['username'] for our user’s username and $_SESSION['password'] for their password.
  • $_SESSION['password'] will be encrypted.
  • We need to start our session somewhere, here is a good place.
File: check_login.php 
<?php

/* check login script, included in db_connect.php. */

session_start();

if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) {
    $logged_in = 0;
    return;
} else {

    // remember, $_SESSION['password'] will be encrypted.

    if(!get_magic_quotes_gpc()) {
        $_SESSION['username'] = addslashes($_SESSION['username']);
    }

    // addslashes to session username before using in a query.
    $qry = "SELECT password FROM users WHERE username = '".$_SESSION['username']."'";
    $pass = $db_object->query($qry);

    if(DB::isError($pass) || $pass->numRows() != 1) {
        $logged_in = 0;
        unset($_SESSION['username']);
        unset($_SESSION['password']);
        // kill incorrect session variables.
    }

    $db_pass = $pass->fetchRow();

    // now we have encrypted pass from DB in 
    //$db_pass['password'], stripslashes() just incase:

    $db_pass['password'] = stripslashes($db_pass['password']);
    $_SESSION['password'] = stripslashes($_SESSION['password']);

    //compare:

    if($_SESSION['password'] == $db_pass['password']) { 
        // valid password for username
        $logged_in = 1; // they have correct info
                    // in session variables.
    } else {
        $logged_in = 0;
        unset($_SESSION['username']);
        unset($_SESSION['password']);
        // kill incorrect session variables.
    }
}

// clean up
unset($db_pass['password']);

$_SESSION['username'] = stripslashes($_SESSION['username']);

?>

What we did here was:

If session variables aren’t set, they’re not logged in. If they are set, fetch the password row from the database where the username is equal to the session variable username. If password cannot be fetched, the username mustn’t exist, kill bad session variables. If the password is fetched, username is correct, compare the encrypted password from the database to the session variable password, if it matches log them in, if not the password is incorrect. Don’t set them as logged in and kill bad session variables.

So now we have our database connection, users can register accounts, we are capable of checking whether they are logged in or not. We can use $logged_in in our scripts now. All that is left is to allow users to log in and log out.

Continue to Allow them to 'log in' »
In this tutorial:
  1. Introduction
  2. Connecting to the database
  3. Creating the table
  4. Sign Up
  5. Check if they are "logged in"
  6. Allow them to 'log in'
  7. Usage
  8. Conclusion
Copyright © Free2Code Online · Privacy Policy

Generated in 48.3ms using 3 (7 cached) SQL queries.

Valid HTML 4.01 Transitional   Valid CSS!

Penguino AVR

Want to learn about robotics or microcontrollers?
Check out the Penguino AVR from our friends at
Icy Labs