CrankBerry Blog Title
2009


(12) Comments

Secure PHP login without database

Although not recommended but maybe for some reason you need to create a PHP login without the use of any database (SQL). For some reason you maybe scared to approach, but here I made a script that is fairly secure without utilizing any database at all. It allows users to login and stay logged in. If you are one of those people then here's the script for you.

Now this script does not use any external files to store user names and password as it opens up more security flaws for hackers, so everything is managed in an array within the PHP. If somebody was able to get a hold of your PHP file this will compromise things but the chances of that happening is fairly close to utilizing a database.

Features

  • Utilizes cookies to give users ability to stay logged in across multiple pages
  • Secure login algorithm mitigates hacking attempts

Drawbacks

Now by not utilizing a database there are some drawbacks and they are:

  • Users cannot change password and user names manually
  • Users can attempt login as many times as they want

With that said, it means that usernames and passwords must be managed by an admin. If this is still something for you. If this is not for you wait around because I will convert this script into a database version in the future.

Less Talk More Script

Installation:

Just download all the necessary files which includes:

  • _login.php
  • _login_page.php
  • _login_class.php
  • _login_users.php
  • login.php
  • logout.php

Once you put these in your root folder you need to edit the users and settings. Open up _login_users.php and you'll see:

<?php

//My Login Script
//Attach this to any page that requires Login

//Users and Settings
$domain_code = 'website';       //Alpha Numeric and no space
$random_num_1 = 20;             //Pick a random number between 1 to 500
$random_num_2 = 565;            //Pick a random number between 500 to 1000
$random_num_3 = 3;              //Pick a random number between 1 to 3

//Usernames can contain alphabets, numbers, hyphens and underscore only
//Set users below – Just add " => " with the first " being
//the username and the second " after the => being the password.
//Its an array so add an , after every password except for the
//last one in the list. As shown below
//Eg. $users = array(
//              'user1' => 'password',
//              'user2' => 'password'
//      );

$users = array(
                'user1' => 'password',
                'user2' => 'password'
        );

?>

Modify the domain code and three random numbers. The three random numbers is the key that makes login secure and unique to your website only. Then at the bottom you can create all of your users.

Now in every page that you require the user to login just add the following code to the very top of the page, exactly on line 1.

<?php require('_login.php'); ?>

That's pretty much all you need to do to install the secure login script. The only other thing if you want is you can edit _login_page.php. That's the page people see when they need to login.

Login and Logout

You can lead users to login and logout with links to login.php and logout.php as such.

<a href="login.php">Login</a> | <a href="logout.php">Logout</a>

Displaying Macors

In this case the only macro you can call up is the username after they have logged in. You can call it in a welcome back message like this (placed in your HTML).

Welcome back <?php echo $login->username; ?>

Download the files:
PHP Login Without Database.zip

TL
This entry was posted on Friday, October 23rd, 2009 at 10:55 pm and is filed under PHP, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
BL

Random Posts


12 Responses to “Secure PHP login without database”

  1. Holly Holly says:

    Firstly, thank you very much for posting this! I did have one question (sorry!) and that is how could I change it to allowing the user name be people's email addresses?

    Ideally I would like to just have people sign in with their email addresses and not have a password, just the username box which would be their email. I think this could work, the only draw back being that "Usernames can contain alphabets, numbers, hyphens and underscore only"

    Any help you can give would be greatly appreciated, thank you!

  2. Jerry Jerry Low says:

    Holly, yes I can show you how to do so, but I was wondering if it only requires an email and no password wouldn't other people be able to login to other accounts as well? Let me know and I'll reply you with a script.

  3. Holly Holly says:

    The login will be for volunteers logging in to see more information about volunteering, there won't be any confidential information. The information will be the same, regardless of the user name. Would you recommend a password too?

  4. Jerry Jerry Low says:

    That seems fine I was just curious. Here is what you're looking at for an email login:

    http://www.crankberryblog.com/files/php_email_login.zip

  5. Holly Holly says:

    Thank you so much for taking the time to do this! I really appreciate it. I have a couple of questions then hopefully that'll be it.

    Would there by a limit to how many users I can add, and also sometimes it requires me to enter my email address twice before logging me in – is there anything I do to fix this?

  6. Jerry Jerry Low says:

    Hey Holly sorry for the late reply I've been away for holidays. Yes it allows unlimited users.

    As for the second problem I'll have to do a test tomorrow check back tomorrow night.

  7. Holly Holly says:

    Great, thank you! I really appreciate the help.

  8. Holly Holly says:

    Hey, I'm sorry to be a pain about this but did you find anything out about why the user has to enter their login info twice?

  9. Jerry Jerry Low says:

    Hey Holly, much apologies as I have taken on more clients than I could handle at the moment. Here's the reason why. After I changed it to email only one of the functions was thrown off. If you open up _login_class.php you'll have to replace the verify_login function with the following:

    function verify_login ($key_uid, $key_cid) {
    //Check Login
    if ($key_cid = $this->code_encryption($key_uid)) {
    //Validate Username Is True
    	foreach ($this->users as $username) {
    	if ($key_uid == $this->user_encryption($username)) {
    
    		$this->username = $username;
    		return TRUE;
    	}
    }
    }
    
    return FALSE;
    }
  10. Robert Robert says:

    What is a data base for log/register on my server? Is this a from word 2003/2007 data base?
    How do i do the log in and regester set up on my site. so people can log in and regoster. what is used for the data base?
    and where do you put your log in folder and log out folder etc.?
    Thanks Robert.

  11. Jerry Jerry Low says:

    Hey Robert, this script specifically is for no database usage, as explained it is less flexible and only slightly less secure due to a floating file with the user database on it. Now, I will be releasing a database version of this possibly end of the week (based on my workload). The database that I'll be using will be MySQL. If you're planning to operate a database driven website you should definitely look into MySQL. There is no login folder and logout folder.

    As with the registration, the non-database driven script doesn't have the feature you'll have to wait for my next script.

    -Cheers

  12. Holly Holly says:

    Fantastic, thank you so so much, Jerry!

Leave a Reply

Spam protection by WP Captcha-Free