Creating the Authentication Script

The goal of this script is to match the username and password entered in the form with a username and password (in the same record) in the auth_users table.

1. Open a new file in your text editor and start a PHP block:

   <?
   

2. Check that values were actually entered for both. If they weren't, direct the user back to the form and exit the script:

   if ((!$_POST[username]) || (!$_POST[password])) {
        header("Location: show_login.html");
        exit;
   }
   

3. Create a variable to hold the name of the database on which the table resides:

   $db_name = "testDB";
   
   

4. Create a variable to hold the name of the table you're populating with this script:

   $table_name = "auth_users";
   

5. Add the connection information as you have been:

   $connection = @mysql_connect("localhost", "spike", "9sj7En4")
        or die(mysql_error());
   

6. Select the database as you have learned:

   $db = @mysql_select_db($db_name, $connection) or die(mysql_error());
   

7. Create the SQL statement. The statement is looking for all fields in a record where the username in the table matches the username entered in the form, and the password hash in the table matches a hash of the password entered in the form:

   $sql = "SELECT * FROM $table_name WHERE username = '$_POST[username]'
   AND password = password('$_POST[password]')";
   

8. Create a variable to hold the result of the mysql_query() function, as you have learned:

   $result = @mysql_query($sql,$connection) or die(mysql_error());
   

9. Check for any results from the query by counting the number of rows returned in the result set:

   $num = mysql_num_rows($result);
   

10. Start an if…else block to deal with your result. If the number of returned rows is more than 1, a match is found. Create a variable to hold an appropriate message:

    if ($num != 0) {
         $msg = "<P>Congratulations, you're authorized!</p>";
    

11. If the number of returned rows is 0, no matches are found. In that case, direct the user back to the login form, and then close the if…else block:

    } else {
         header("Location: show_login.html");
         exit;
    }
    

12. Close your PHP block and add HTML:

    ?>
    <HTML>
    <HEAD>
    <TITLE>Secret Area</TITLE>
    </HEAD>
    <BODY>
    

13. Display the message:

    <? echo "$msg"; ?>
    

14. Add some more HTML so that the document is valid:

    </BODY>
    </HTML>
    

15. Save the file with the name do_authuser.php, and place this file in the document root of your web server.

Your code should look like this:

<?
//check for required fields
if ((!$_POST[username]) || (!$_POST[password])) {
     header("Location: show_login.html");
     exit;
}

//set up names of database and table to use
$db_name = "testDB";
$table_name = "auth_users";

//connect to server and select database
$connection = @mysql_connect("localhost", "spike", "9sj7En4")
     or die(mysql_error());
$db = @mysql_select_db($db_name, $connection) or die(mysql_error());
//build and issue the query
$sql = "SELECT * FROM $table_name WHERE username = '$_POST[username]'
    AND password = password('$_POST[password]')";

$result = @mysql_query($sql,$connection) or die(mysql_error());

//get the number of rows in the result set
$num = mysql_num_rows($result);

//print a message or redirect elsewhere, based on result
if ($num != 0) {
     $msg = "<P>Congratulations, you're authorized!</p>";
} else {
     header("Location: show_login.html");
     exit;
}
?>
<HTML>
<HEAD>
<TITLE>Secret Area</TITLE>
</HEAD>
<BODY>
<? echo "$msg"; ?>
</BODY>
</HTML>

Next, you get to test the login form!