Secure Login and Registration in PHP using Prepared Statements Tutorial

Introduction

In this tutorial, you will learn the basics and best practices to create a Secure Login and Registration in PHP. This tutorial provides sample snippets that demonstrate a secure login and registration feature in PHP using Prepared Statements. The main goal of this article is to provide the students or those programmers who are new to PHP Language a reference to learn with.

Why do we need to secure our Web Application Login and Registration?

We must secure our site's login and registration feature and functionality to prevent malicious hackers to ruin or get access to our site's data. Doing so, your end-users will trust also your site for using it because it protects their data especially if they are storing sensible or personal data and information on your site.

How can we Create a Secure Login and Registration using PHP?

There are a lot of ways and techniques to create a secure login and registration feature for sites. One of the most common nowadays is, developers create a 2 Factor Authentication or oAuth, Here, I will only show you or teach you the best practice to create a basic one using the PHP Prepared Statements and sanitizing the data.

Getting Started

Kindly download a virtual server software such as the XAMPP/WAMP on your local machine to run our PHP scripts and for the MySQL Database. After successful installation of the software make sure that your Apache and MySQL are already started or running on your local machine.

Creating the Database

Create a new database and name it "sample_db". If you are using XAMPP/WAMP, browse http://localhost/phpmyadmin in your preferred browser to create a database. After that run or execute the following MySQL Script to create the `users` table in your newly created database.

  1. CREATE TABLE `user_tbl` (
  2. `id` int(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
  3. `first_name` varchar(250) NOT NULL,
  4. `middle_name` varchar(250) NOT NULL,
  5. `last_name` varchar(250) NOT NULL,
  6. `username` text NOT NULL,
  7. `password` text NOT NULL
  8. ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

Creating the Database Connection

The following snippet is the PHP Script that connects your site to the database. Save the script as "db-connect.php" in your source code folder.

  1. <?php
  2. // Server Name
  3. $host = "localhost";
  4. // Database Username
  5. $username = "root";
  6. // Database Password
  7. $password = "";
  8. // Database Name
  9. $db_name = "sample_db";
  10.  
  11. // Create Connection
  12. $conn = new mysqli($host, $username, $password, $db_name);
  13.  
  14. // Check if database connection failed then do die
  15. if(!$conn){
  16. die("Database connection failed.");
  17. }
  18. ?>

Creating the Authentication

The following snippet is a PHP script that contains the code to authenticate the user if he/she is allowed to load the current page. This code prevents the users to access the main page without logging in to the site. Save the script as "auth.php".

  1. <?php
  2. $_self = $_SERVER['PHP_SELF'];
  3.  
  4. if(preg_match_all("/login\.php/", $_self) || preg_match_all("/register\.php/", $_self)){
  5. // Check if page is in login or registration page
  6. if(isset($_SESSION['id']) && !empty($_SESSION['id'])){
  7. header('location: index.php');
  8. }
  9. }else{
  10. // Check if not in login or registration page
  11. if(!isset($_SESSION['id']) || (isset($_SESSION['id']) && empty($_SESSION['id']))){
  12. header('location: login.php');
  13. }
  14. }
  15. ?>

Creating the Registration

Here is the sample snippet for creating a Registration Page for your site. It contains HTML and PHP Scripts for the page interface and the registration form of the site. This file also contains the code for processing or saving the new user information to the database. Save the file as "register.php"

  1. <?php
  2. include "db-connect.php";
  3. require_once("auth.php");
  4.  
  5. if($_SERVER['REQUEST_METHOD'] == "POST"){
  6. $fname = addslashes($conn->real_escape_string($_POST['first_name']));
  7. $mname = addslashes($conn->real_escape_string($_POST['middle_name']));
  8. $lname = addslashes($conn->real_escape_string($_POST['last_name']));
  9. $uname = addslashes($conn->real_escape_string($_POST['username']));
  10. $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
  11. // Check username duplication
  12. $check = $conn->query("SELECT id FROM `user_tbl` where `username` = '{$uname}'")->num_rows;
  13. if($check > 0){
  14. $err = "Username is already taken!";
  15. }else{
  16. $sql = "INSERT INTO `user_tbl` (`first_name`, `middle_name`, `last_name`, `username`, `password`) VALUES (?, ?, ?, ?, ?)";
  17. $stmt = $conn->prepare($sql);
  18. $stmt->bind_param("sssss", $fname, $mname, $lname, $uname, $password);
  19. $stmt->execute();
  20. if($stmt->affected_rows > 0){
  21. $success = "Account has been created succesfully. <a href='login.php'>Login Now!</a>";
  22. $_SESSION['success_msg'] = $success;
  23. header('location: register.php');
  24. unset($_POST);
  25. exit;
  26. }else{
  27. $err = "Creating your account has been failed for some reason!";
  28. }
  29. }
  30. }
  31. ?>
  32. <!DOCTYPE html>
  33. <html lang="en">
  34. <meta charset="UTF-8">
  35. <meta http-equiv="X-UA-Compatible" content="IE=edge">
  36. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  37. <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-gH2yIJqKdNHPEq0n4Mqa/HGKIhSkIHeL5AyhkYV8i59U5AR6csBvApHHNl/vI1Bx" crossorigin="anonymous">
  38. <title>Registration - Secure Login and Registration</title>
  39. <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js" integrity="sha384-ODmDIVzN+pFdexxHEHFBQH3/9/vQ9uori45z4JjnFsRydbmQbmL5t1tQ0culUzyK" crossorigin="anonymous"></script>
  40. html, body {
  41. min-height:100%;
  42. width: 100%
  43. }
  44. </style>
  45. </head>
  46. <body class="bg-primary bg-opcaity-75 bg-gradient">
  47. <div class="container my-5 py-4">
  48. <h2 class="text-center text-light">Create New Account</h2>
  49. <div class="col-lg-5 mx-auto">
  50. <hr class="border-light" height="2px">
  51. <div class="card rounded-0">
  52. <div class="card-body rounded-0">
  53. <div class="container-fluid">
  54. <form id="registration-form" action="" method="POST">
  55. <div class="mb-3">
  56. <label for="first_name"><b>First Name</b> <span class="text-danger">*</span></label>
  57. <input type="text" class="form-control rounded-0" id="first_name" name="first_name" required="required" value="<?= isset($_POST['first_name']) ? $_POST['first_name'] : '' ?>" placeholder="John">
  58. </div>
  59. <div class="mb-3">
  60. <label for="middle_name"><b>Middle Name</b></label>
  61. <input type="text" class="form-control rounded-0" id="middle_name" name="middle_name" value="<?= isset($_POST['middle_name']) ? $_POST['middle_name'] : '' ?>" placeholder="(optional))">
  62. </div>
  63. <div class="mb-3">
  64. <label for="last_name"><b>Last Name</b> <span class="text-danger">*</span></label>
  65. <input type="text" class="form-control rounded-0" id="last_name" name="last_name" required="required" value="<?= isset($_POST['last_name']) ? $_POST['last_name'] : '' ?>" placeholder="Smith">
  66. </div>
  67. <div class="mb-3">
  68. <label for="username"><b>Username</b></label>
  69. <input type="text" class="form-control rounded-0" id="username" name="username" required="required" value="<?= isset($_POST['username']) ? $_POST['username'] : '' ?>" placeholder="myusername">
  70. </div>
  71. <div class="mb-3">
  72. <label for="password"><b>Password</b></label>
  73. <input type="password" class="form-control rounded-0" id="password" name="password" required="required" placeholder="********">
  74. </div>
  75. <?php if(isset($_SESSION['success_msg']) && !empty($_SESSION['success_msg'])): ?>
  76. <div class="alert alert-success">
  77. <?= $_SESSION['success_msg'] ?>
  78. </div>
  79. <?php unset($_SESSION['success_msg']); ?>
  80. <?php else: ?>
  81. <p class="text-center">
  82. <a href="login.php">Already have an account? Login here</a>
  83. </p>
  84. <?php endif; ?>
  85. <?php if(isset($err) && !empty($err)): ?>
  86. <div class="alert alert-danger">
  87. <?= $err ?>
  88. </div>
  89. <?php endif; ?>
  90. </form>
  91. </div>
  92. </div>
  93. <div class="card-footer text-center">
  94. <button class="btn btn-primary rounded-0" form="registration-form">Create Account</button>
  95. </div>
  96. </div>
  97. </div>
  98. </div>
  99. <?php
  100. $conn->close();
  101. ?>
  102. </body>
  103. </html>

Result

PHP - Registration

Creating the Login

The next snippet is the Login Page scripts that consist also of HTML and PHP Scripts. It contains the elements of the page interface of the login form. Save the file as "login.php".

  1. <?php
  2. include "db-connect.php";
  3. require_once("auth.php");
  4. // Process Login
  5. if($_SERVER['REQUEST_METHOD'] == "POST"){
  6. // username
  7. $uname = addslashes($conn->real_escape_string($_POST['username']));
  8. // Check user if Exist
  9. $sql = "SELECT * FROM `user_tbl` where `username` = ?";
  10. $stmt = $conn->prepare($sql);
  11. $stmt->bind_param("s", $uname);
  12. $stmt->execute();
  13. $result = $stmt->get_result();
  14. if($result->num_rows > 0){
  15. // If user data exist
  16. $details = $result->fetch_assoc();
  17. // verify given password
  18. $password_verify = password_verify($_POST['password'], $details['password']);
  19. if($password_verify){
  20. // Save user details on session
  21. foreach($details as $k => $v){
  22. $_SESSION[$k] = $v;
  23. }
  24. header('location: index.php');
  25. }else{
  26. // If Password does not match
  27. $err = "Invalid match of username and password.";
  28. }
  29. }else{
  30. // If User details does not exist
  31. $err = "Invalid username.";
  32. }
  33.  
  34. }
  35. ?>
  36. <!DOCTYPE html>
  37. <html lang="en">
  38. <meta charset="UTF-8">
  39. <meta http-equiv="X-UA-Compatible" content="IE=edge">
  40. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  41. <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-gH2yIJqKdNHPEq0n4Mqa/HGKIhSkIHeL5AyhkYV8i59U5AR6csBvApHHNl/vI1Bx" crossorigin="anonymous">
  42. <title>Login - Secure Login and Registration</title>
  43. <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js" integrity="sha384-ODmDIVzN+pFdexxHEHFBQH3/9/vQ9uori45z4JjnFsRydbmQbmL5t1tQ0culUzyK" crossorigin="anonymous"></script>
  44. html, body{
  45. height:100%;
  46. width:100%;
  47. margin:unset;
  48. }
  49. </style>
  50. </head>
  51. <body class="bg-primary bg-opcaity-75 bg-gradient">
  52. <div class="container my-auto d-flex flex-column align-items-center justify-content-center h-100">
  53. <h2 class="text-center text-light">Login Page</h2>
  54. <hr>
  55. <div class="col-lg-5 mx-auto">
  56. <div class="card rounded-0">
  57. <div class="card-body rounded-0">
  58. <div class="container-fluid">
  59. <form id="login-form" action="" method="POST">
  60. <div class="mb-3">
  61. <label for="username"><b>Username</b></label>
  62. <input type="text" class="form-control rounded-0" id="username" name="username" required="required" value="<?= isset($_POST['username']) ? $_POST['username'] : '' ?>" placeholder="myusername">
  63. </div>
  64. <div class="mb-3">
  65. <label for="password"><b>Password</b></label>
  66. <input type="password" class="form-control rounded-0" id="password" name="password" required="required" placeholder="********">
  67. </div>
  68. <?php if(isset($err) && !empty($err)): ?>
  69. <div class="alert alert-danger">
  70. <?= $err ?>
  71. </div>
  72. <?php endif; ?>
  73. <p class="text-center">
  74. <a href="register.php">Create a New Account</a>
  75. </p>
  76. </form>
  77. </div>
  78. </div>
  79. <div class="card-footer text-center">
  80. <button class="btn btn-primary rounded-0" form="login-form">Login</button>
  81. </div>
  82. </div>
  83. </div>
  84. </div>
  85. <?php
  86. $conn->close();
  87. ?>
  88. </body>
  89. </html>

Result

PHP - Login

Creating the Main Page

Here's a sample snippet of the main page for the logged-in users. The page displays the information of the user except for the password. Save the file as "index.php".

  1. <?php
  2. include "db-connect.php";
  3. require_once("auth.php");
  4. ?>
  5. <!DOCTYPE html>
  6. <html lang="en">
  7. <meta charset="UTF-8">
  8. <meta http-equiv="X-UA-Compatible" content="IE=edge">
  9. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  10. <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-gH2yIJqKdNHPEq0n4Mqa/HGKIhSkIHeL5AyhkYV8i59U5AR6csBvApHHNl/vI1Bx" crossorigin="anonymous">
  11. <title>Home - Secure Login and Registration</title>
  12. <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js" integrity="sha384-ODmDIVzN+pFdexxHEHFBQH3/9/vQ9uori45z4JjnFsRydbmQbmL5t1tQ0culUzyK" crossorigin="anonymous"></script>
  13. html, body{
  14. height:100%;
  15. width:100%;
  16. margin:unset;
  17. }
  18. </style>
  19. </head>
  20. <body class="bg-primary bg-opcaity-75 bg-gradient">
  21. <div class="container h-100 d-flex flex-column align-items-center justify-content-center">
  22. <div class="col-6 mb-3">
  23. <h1 class="text-center text-light fw-bolder">PHP Secure Login and Registration</h1>
  24. <hr class="border-light">
  25. </div>
  26. <div class="col-lg-5">
  27. <div class="card rounded-0">
  28. <div class="card-body rounded-0">
  29. <div class="container-fluid">
  30. <h3 class="text-center">Welcome!</h3>
  31. <hr>
  32. <h4>Your Account Details:</h4>
  33. <dl>
  34. <dt>First Name</dt>
  35. <dd class="ps-4"><?= $_SESSION['first_name'] ?></dd>
  36. <dt>Middle Name</dt>
  37. <dd class="ps-4"><?= $_SESSION['middle_name'] ?></dd>
  38. <dt>Last Name</dt>
  39. <dd class="ps-4"><?= $_SESSION['last_name'] ?></dd>
  40. <dt>Username</dt>
  41. <dd class="ps-4"><?= $_SESSION['username'] ?></dd>
  42. </dl>
  43. </div>
  44. <div class="d-grid mt-3">
  45. <a href="logout.php" class="btn btn-sm btn-danger bg-gradient rounded-0">Logout</a>
  46. </div>
  47. </div>
  48. </div>
  49. </div>
  50. </div>
  51. <?php
  52. $conn->close();
  53. ?>
  54. </body>
  55. </html>

Result

PHP - Main

Creating the Logout Script

Here's the snippet for destroying the session of the logged-in user. It is a PHP Script that unsets or destroys the current user session. Save the file as "logout.php".

  1. <?php
  2. header('location: login.php');
  3. ?>

DEMO VIDEO

That's it! You can now test the sample application that demonstrates our goal for this tutorial which is a site that contains a secure login and registration feature. If you found or encountered any errors on your end, please review you changes or modifications you've made and try to differentiate them from the codes I provided above. You can also download the working source code I created for this tutorial. The download button is located below this article.

That is the end of this tutorial. I hope this will help you with what you are looking for and that you'll find this useful for your future PHP Projects. Explore more on this website for more Tutorials and Free Source Codes.

Happy Coding :)

Add new comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
5 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.