PHP: Custom user authentication

[johnboulder]

Part 1

Welcome, all to the first of a series of articles to implementing your own custom user registration and authentication modules.

I strongly suggest you develop this part of your website as a module, otherwise you'll be tied to a particular implementation when you decide to make changes (and trust me - you'll make the changes!!

What you'll need

• An idea of what you need
• A site that would benefit from users
• Some ** PHP knowledge

** I say some, as you;ll need to understand how the language works, and connect to a mysql database or other datasource.

Setting up the data

The first and (possibly) the most important step is to have a logical way to group user data - a lot of people will push different forms on to you, but, in the end - whatever works best for you is the way you should do things.

Code:

Table: users
Caption: User authentication Data

Fields:
user_id INT auto_increment
user_email VARCHAR(250) # it's always wise to use an email address as a user identifier, as this is almost guaranteed to be unique for your user. **
user_password VARCHAR(200) # I recommend you store this as an md5 hashed value - it's more secure
user_status # This is specific to the system - if users can only do so much, it's not important to limit them using a user_status - but for a multiple user hierarchy (similar to that used on forums) - a user_status is important - see one of the future tutorials for alternative ways to do this.
user_hash VARCHAR(200) # I use this to make sure users do not suplpy spoof email addresses.
user_active INT
user_full_name VARCHAR(250) # Up to you really

Once you have your table - your 'a' for away - you can now start creating your registration and login forms - the reason I do this first is so that I know exactly what format data is going to be passed to my processing scripts.

An idea to make this easier is to include the files in .htm files that can be SSI'd into your scripts.

Right - down to the code

Code

First off - you need a data abstraction method - for more information on patterns - see http://phppatterns.com

I will post a sample a little later on in this thread for you to look at.

The assumption is you have created a persistent connection (or repeatedly established a new one) in $_SESSION['db'] - and that your class exports functions to retrieve data (using sql or otherwise).

Now we need to create the registration form - see the follwoing:

Code:

<form method="post" action="process.registration.php">
<ul>
  <li>email address</li>
  <li class="input"><input type="text" name="email" value="" /></li>
  <li>password</li>
  <li class="input"><input type="password" name="password" value="" /></li>
  <li>repeat password</li>
  <li class="input"><input type="password" name="repeat" value="" /></li>
  <li>your name</li>
  <li class="input"><input type="text" name="fullname" value="" /></li>
  <li class="buttons"><input type="submit" value="register" /></li>
</ul>
</form>

The next step, then, is to process whatever's been passed to us in the registration form and if it validates - then pop it in the database and send the user an email to activate their account.

PHP Code:

<?php
  // process.registation.php

  class Register {
    var $post;
    var $errors;

    function Register($data) {
      foreach ($data as $key => $value) {
        $newitem['name'] = $key;
        $newitem['value'] = $value;
        $this->post[$key] = $newitem;
      }
      $this->errors = array();
    }
  
    function Validate {
      $valid = true; 
      foreach ($this->post as $field) {
        if (($field['required']) && ($field['value'] !== "")) {
          if ($field['validates'] === true) {
            // this validates - continue
          }
          else {
            $valid = false;
            $this->errors[] = "The " . $field['name'] . " field does not validate - please try again.";
          }
        }
        else {
          $valid = false;
          $this->errors[] = "The " . $field['name'] . " field is a required element - please fill it in.";
        }
      }
      return $valid;
    }
  }

  $register = new Register($_POST);
  $register->post['email']['validates'] = is_email($register->post['email']['value']);
  $register->post['email']['required'] = true;
  $register->post['password']['required'] = true;
  $register->post['repeat']['required'] = true;
  $register->post['fullname']['required'] = true;
  $register->post['password']['validates'] = ($register->post['password']['value'] == $register->post['repeat']['value']);
  $register->post['repeat']['validates'] =  ($register->post['password']['value'] == $register->post['repeat']['value']);
  if ($register->Validate()) {
    // register these details
  }
  else {
    // redirect back o error page.
  }
?>

More in a while - play with this until such point as you're happy with it.

By the way - the is_email function is a simple function to check an email against a regexp.

PHP Code:

<?php
  function is_email($Addr) 
  {
   $p = '/^[a-z0-9!#$%&*+-=?^_`{|}~]+(\.[a-z0-9!#$%&*+-=?^_`{|}~]+)*';
   $p.= '@([-a-z0-9]+\.)+([a-z]{2,3}';
   $p.= '|info|arpa|aero|coop|name|museum)$/ix';
   return preg_match($p, $Addr);
  }
?>

Regards

[johnboulder]

Registration and form validation is probably the most tedious part of creating a user authentication system - authentication is much asier, and can generally be accomplished with less than 20 lines of code.

As I usually recommend that passwords are stored as a hash, the way you find out if a user is valid, and has supplied the right password - you just need 1 SQL statement - if it returns values, then log the user in, if it doesn't - they dont have a valid acccount, or have not supplied the correct information.

Code:

SELECT * FROM users u
  WHERE u.email LIKE '{$_POST[email]}'
  AND u.password = MD5({$_POST[password]})
  AND u.verified = '1'

To note a login, it's always easy to use a session.

Set $_SESSION['activeuser'] to your user record, then logging out is simply a matter of clearing the session item.

Regards

[SHP]

Another Hotscripts addition
Custom user authentication

[Xhris07]

Very nicely done John. I went to hotscripts and gave it my vote. EXCELLENT!!! This will come in handy many times over. I will have some playing to do so I can get a feel for doing this one. Thanks again.

[johnboulder]

Thank you for the kind words Xhris!

Unfortunately - the most boring parts of website development are often the most essential.

To name a couple:
Content Engines
User Authentication

To this end, I'm going to be developing part of an extensible system for both these functions that will adhere to any layout you want to throw at it. At the moment I'm referring to my views on conent management as 'content based development', which I'll write a small paper on once it's done.

I will also pop the details in a few posts here on ny-dev!

My next planned article is on caching.

The one after that, multiple-domain logins - similar to the way yahoo! and live do it.

More when they're done

Regards

[danielmichel]

congrats on the hotscripts approval

[johnboulder]

I suppose my only question is: "How did it get there?"

Was it you SHP?

Regards