I use a very simple script for verifying logins. It's probably not the most secure way to do it, but it works. (If someone sees any potential security wholes, please tell me).
This script gets user data out of a databse (probably what you are looking for). Passwords are stored as a hash in the database, look up the crypt() function for hashing. In this example, I also have administrator access, which is noted in the program by having $access = 1.
$loguser and $logpass are the username and password variables passed from the login form.
Also, note that I use session_register() in this script, but that's because I wrote it a while ago. Look it up in the php manual, because a new method is suggested that doesn't use session_register.
As for user registration, that's just a matter of printing out a form and storing it in a database. Things like that I'm sure there are already tutorials around for.
// start session (declares cookie for tracking logins)
session_name( "admin_login" );
session_start();
$login = false;
$access = 0;
$logid = -1;
$qresult = mysql_query( "SELECT password,Administrator,id FROM users WHERE username='$loguser'" );
$num = mysql_num_rows( $qresult );
if ( $num == 1 )
{
$myrow = mysql_fetch_row( $qresult );
$password = $myrow[0];
if ( $logpass )
$cryptpass = crypt( $logpass, "ak" );
if ( $cryptpass == $password )
{
$access = $myrow[1];
$logid = $myrow[2];
if ( !$requireAdmin || $access )
$login = true;
else
{
$error = "You don't have enough privileges to access this page.<br>";
$logout = true;
}
}
}
else
$error = "You must login to access this page.<br>";
if ( $login )
{
session_register( "loguser" );
session_register( "cryptpass" );
}
if ( $logout )
{
session_unset();
session_destroy();
$access = 0;
$login = false;
}
if ( !$login )
{
$loguser = "";
$logpass = "";
$logid = "";
}
if ( !$login )
{
include( "includes/header.php" );
// print out your login box and errors here
exit;
}
