In my opinion, you would first need to create a hashed password. Creating a hashed password is much more secure than an encrypted password as it’s irreversible whereas an encrypted password can be decrypted.
So how do we do this? There are many ways to do it, but I’ll keep it simple.
[php]
$password = “YourPassword” //You could use this
$hashedpass = hash(SHA256, $password);
[/php]
So now you have your password, copy & paste it into your MySQL database (assuming you have id, username and password as your field names in a table called password) I know you only want password but we need an identifier to check against as pulling the password out in a query is insecure.
With the above, I’ve adjusted it slightly from what I’d use, I would have this updating the db automatically for a login system that has many users but for this example I think you only need an admin password…
So, now we have the password in the database, we’ll connect using PDO:
db.php
[php]
// Set the variables to connect
$db_myHost = “localhost”;
$db_myUser= “username”;
$db_myPassword = “password”;
$db_myDatabase = “databasename”;
// Declare a new db connection
$dbconn = new PDO(‘mssql:host=’.$db_myHost.’;dbname=’.$db_myDatabase, $db_myUser, $db_myPassword);
// Test the connection
try
{
$dbPDO = new PDO(‘mssql:host=’.$db_myHost.’;dbname=’.$db_myDatabase, $db_myUser, $db_myPassword);
$dbPDO->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch (PDOException $e)
{
//echo "Error!: " . $e->getMessage() . "
die();
}
[/php]
So the above is a simple PDO connection. We use PDO as the old style mysql_connect functions are now deprecated.
This next bit will allow you to enter your password before proceeding to the secure page:
login.php
[php]
<?php
// Only require it once as if it gets called again, the script will fail so its added security
require_once('db.php');
// Check if the submit button has been pressed, if it hasnt theres no point running the code
if (isset($_POST['doLogin'])) {
//Run the query
$sth = $dbconn->prepare(
//The reason we use :password and :username is to prevent SQL injections, that's the main pro with PDO
SELECT username FROM admin WHERE password = :password AND username = :username
);
$params = array("username" => $_POST["username"], "password" => hash(SHA256, $_POST["password"]);
$sth->execute($params);
while ($row = $sth->fetch()) {
//Theres a row meaning the user has authenticated using a username and password
session_start(); //Create a session. This is what we'll always check against to see if the user is authenticated
//I send the username in the session so I can pull user data from the database
$_SESSION['userName'] ="$row[username]";
//Header location will redirect the user. This redirection only happens while $row = fetch() and fetch only fetches if the username/password is correct
header("Location:/admin.php");
}else {
// Else is like 'otherwise' there's only 1 other outcome.... the username/password combination was incorrect. In this case we can simply output an error
$error = true;
$message = "
Username or Password Incorrect";
?>
Login
<?php
// If there's an error, output the message
if ($error = true){
echo "Your username or password was incorrect
";
}else {
//There was no error, show the form
echo '
Username
Password
';
?>
[/php]
That is most of it, now all we need to do is check for the session on the admin page…
admin.php
[php]
<?php
//Check if the username session exists
session_start();
if(isset($_SESSION['userName']))
{
//This is where I would pull information based on the username but I don't think you need this for now. It's important to keep it in though as the else part of the statement means theres no session and the user is not authenticated
}else {
//The user isn't logged in, redirect them to the login page
header("Location:/login.php");
}
?>
[/php]
I haven’t tested it so if you have any issues, let me know. Also, I tried to explain it as best I can but if there’s anything else you’d like to know or don’t understand, let us know so we can talk you through it.