Although not recommended but maybe for some reason you need to create a PHP login without the use of any database (SQL). For some reason you maybe scared to approach, but here I made a script that is fairly secure without utilizing any database at all. It allows users to login and stay logged in. If you are one of those people then here's the script for you.
Now this script does not use any external files to store user names and password as it opens up more security flaws for hackers, so everything is managed in an array within the PHP. If somebody was able to get a hold of your PHP file this will compromise things but the chances of that happening is fairly close to utilizing a database.
Features
- Utilizes cookies to give users ability to stay logged in across multiple pages
- Secure login algorithm mitigates hacking attempts
Drawbacks
Now by not utilizing a database there are some drawbacks and they are:
- Users cannot change password and user names manually
- Users can attempt login as many times as they want
With that said, it means that usernames and passwords must be managed by an admin. If this is still something for you. If this is not for you wait around because I will convert this script into a database version in the future.
Less Talk More Script
Installation:
Just download all the necessary files which includes:
- _login.php
- _login_page.php
- _login_class.php
- _login_users.php
- login.php
- logout.php
Once you put these in your root folder you need to edit the users and settings. Open up _login_users.php and you'll see:
//My Login Script
//Attach this to any page that requires Login
//Users and Settings
$domain_code = 'website'; //Alpha Numeric and no space
$random_num_1 = 20; //Pick a random number between 1 to 500
$random_num_2 = 565; //Pick a random number between 500 to 1000
$random_num_3 = 3; //Pick a random number between 1 to 3
//Usernames can contain alphabets, numbers, hyphens and underscore only
//Set users below – Just add " => " with the first " being
//the username and the second " after the => being the password.
//Its an array so add an , after every password except for the
//last one in the list. As shown below
//Eg. $users = array(
// 'user1' => 'password',
// 'user2' => 'password'
// );
$users = array(
'user1' => 'password',
'user2' => 'password'
);
?>
Modify the domain code and three random numbers. The three random numbers is the key that makes login secure and unique to your website only. Then at the bottom you can create all of your users.
Now in every page that you require the user to login just add the following code to the very top of the page, exactly on line 1.
That's pretty much all you need to do to install the secure login script. The only other thing if you want is you can edit _login_page.php. That's the page people see when they need to login.
Login and Logout
You can lead users to login and logout with links to login.php and logout.php as such.
Displaying Macors
In this case the only macro you can call up is the username after they have logged in. You can call it in a welcome back message like this (placed in your HTML).
Download the files:
PHP Login Without Database.zip
Share It
Tags: PHP Script, Security
Firstly, thank you very much for posting this! I did have one question (sorry!) and that is how could I change it to allowing the user name be people's email addresses?
Ideally I would like to just have people sign in with their email addresses and not have a password, just the username box which would be their email. I think this could work, the only draw back being that "Usernames can contain alphabets, numbers, hyphens and underscore only"
Any help you can give would be greatly appreciated, thank you!
Holly, yes I can show you how to do so, but I was wondering if it only requires an email and no password wouldn't other people be able to login to other accounts as well? Let me know and I'll reply you with a script.
The login will be for volunteers logging in to see more information about volunteering, there won't be any confidential information. The information will be the same, regardless of the user name. Would you recommend a password too?
That seems fine I was just curious. Here is what you're looking at for an email login:
http://www.crankberryblog.com/files/php_email_login.zip
Thank you so much for taking the time to do this! I really appreciate it. I have a couple of questions then hopefully that'll be it.
Would there by a limit to how many users I can add, and also sometimes it requires me to enter my email address twice before logging me in – is there anything I do to fix this?
Hey Holly sorry for the late reply I've been away for holidays. Yes it allows unlimited users.
As for the second problem I'll have to do a test tomorrow check back tomorrow night.
Great, thank you! I really appreciate the help.
Hey, I'm sorry to be a pain about this but did you find anything out about why the user has to enter their login info twice?
Hey Holly, much apologies as I have taken on more clients than I could handle at the moment. Here's the reason why. After I changed it to email only one of the functions was thrown off. If you open up _login_class.php you'll have to replace the verify_login function with the following:
function verify_login ($key_uid, $key_cid) { //Check Login if ($key_cid = $this->code_encryption($key_uid)) { //Validate Username Is True foreach ($this->users as $username) { if ($key_uid == $this->user_encryption($username)) { $this->username = $username; return TRUE; } } } return FALSE; }What is a data base for log/register on my server? Is this a from word 2003/2007 data base?
How do i do the log in and regester set up on my site. so people can log in and regoster. what is used for the data base?
and where do you put your log in folder and log out folder etc.?
Thanks Robert.
Hey Robert, this script specifically is for no database usage, as explained it is less flexible and only slightly less secure due to a floating file with the user database on it. Now, I will be releasing a database version of this possibly end of the week (based on my workload). The database that I'll be using will be MySQL. If you're planning to operate a database driven website you should definitely look into MySQL. There is no login folder and logout folder.
As with the registration, the non-database driven script doesn't have the feature you'll have to wait for my next script.
-Cheers
Fantastic, thank you so so much, Jerry!
I found something {interesting|great|amazing} that I read….
I just had to share, look at what I found from looking around the web….
Thanks for a fantastic script!
was wondering though if it is possible to be able to serve different content dependning on if you are logged in or not? Have been toying a bit but my php skills are lacking
Erik, did you specifically want to work with the non-database version? Its a bit trickier in this version but its possible.
Are you working with static content? Are you going to manage the user list yourself manually?
Thank you for your quick reply! much appreciated
The project i'm working on is a small corporate website where i plan to use tinymce so they can update the info by themselves. As a larger cms just seems like overkill and they will at most use 2 accounts which both have full admin privileges (changing text content) i thought a mysql solution also would be overkill if it could be done otherwise. As i'm not very familiar with database use.
So what i'm trying to do is simply show tinyMce activated if logged in, otherwise just the regular html(and php) version of the site. If it makes it a lot trickier with your script, then i might just get learning some mysql but i really like your solution and would be happy to be able to use it!
Maybe I am overlooking a scope issue here, but couldn't you change the section below and store that as a required file (inside of _login.php) somehow? Then you could end up developing the script so you could then change the user name and password since it would then be stored as a different file that then thus could be changed. I could do that, but what's your opinion on security issues this may then create? I mean if not using a database not really looking for super secure to begin with, but according to your above statement it'd still be reasonable secure since it would still require them getting access to your php files. Thoughts? If I get time and you are interested I'll post you a copy of something to sort of doing what I mean.
'password', 'user2' => 'password' ); ?>Erik,
I see your situation. Simple enough here's a modified script that should suit your needs.
Download Files:
PHP Login Without Database PageLock.zip
Basically its what I mentioned before, you'll be managing accesses to pages based on credentials. So the user list is modified to:
$users = array( array('user1', 'test', 'A', 1), array('user2', 'test2', 'A', 2), array('user3', 'test', 'B', 3), array('user4', 'test', 'B', 4) );And each page you want specific access you just have to add:
I've added instruction and commenting in the code if you want to understand more of how to use the page lock.
Gibby, its not a bad idea and my original thought was to do the same but have a editable file would mean opening up write access. I'm not a specialist in securing write access files so I didn't take that approach. Definately feasible though.
Appreciate all the help!
The link to the file seem to be malfunctioning though :)
I'm an interaction designer so if you need some expertise in that area i'd be happy to help you out in return!
Ah, found the file at "http://www.crankberryblog.com/files/php-login-without-database-pageLock.zip"!
Oops sorry Erik, I keep forgetting the paths aren't relative. I'm getting all these websites mashed in my head.
Anyways, I'm not in need of anything right now but I'll keep that in mind.
I'm not a programmer but this is exactly what I need – great! However I'm having trouble getting the redirect to work – any ideas why that might be?
Thanks.
Hey Tim,
I was wondering if you made any changes to the code. The redirection will only work before any HTML code is outputted.
Hi Jerry
The only change is to the line : header("LOCATION: PDPform.html"); to reflect the name of the file I want to go to.
Does the value of the domain code in _login_users.php have any bearing?
Tim,
The $domain_code is merely for making cookies save unique to your website only. It won't change anything in the equation. I suppose its your login redirect that is having problem or is it he log out? Are there any error messages being outputted?
Also, was wondering if you had cookies enabled…
Hi,
Thank you very much for the code.
I have some few questions to ask as below :
1. $domain_code = 'website'; Should I have to put the url of the page which I want member to login before they can redirect to protected page, right? (in easy word, I mean the page that contain login form)
2. Do these code need to be in root folder?
3. Is it possible if I would like these codes along with my other protected php pages located together in sub directory? Do I need to change any code inside?
Thank you for your kind reply.
Hey Olive,
1. The $domain code is actually just a unique naming code for your cookies. You just need to put any name. It could be Olive, code, random, or anything you like. It doesn't affect the pages and operation much.
2. These files are all currently linked together as being in the same directory. They don't have to be in the root but they have to be in the same folder. You can move them around but you'll have to change the file pointing to them.
3. You can link to the login from sub directories or have the login in a sub directory and link back. You'll have to change the path to the files though such as the login and logout php pages.
Hope that helps!
Thank you Jerry. This is really great.
Do you know what is wrong??? And what is solution this problem? Thx;)
Warning: Cannot modify header information – headers already sent by (output started at /data/www/silentman/w/_login_users.php:1) in /data/www/silentman/w/_login_class.php on line 43
Warning: Cannot modify header information – headers already sent by (output started at /data/www/silentman/w/_login_users.php:1) in /data/www/silentman/w/_login_class.php on line 44
Warning: Cannot modify header information – headers already sent by (output started at /data/www/silentman/w/_login_users.php:1) in /data/www/silentman/w/login.php on line 5
Kamil the script relies on the PHP header(); function to redirect you after you logged in.
Now the function only works if nothing has been outputted to you browser yet. PHP script will run on the server and won't output anything to the browser unless you have an echo "; script. So you can't have anything like echo "; before my script.
Or if you included my script after the ,
or tag it also won't work. It has to be before that.Now if you do need to output something before the script then you need to use Javascript for the redirect.
thx;)
Hello Everyone,
I'm new to this site, however I've worked out the non-database PHP script.
However, it would be nice if someone could tell me where and what line of code I should add so the session would terminate itself (logout) upon closing the browser window.
Help from anyone is appreciated.
Thank you in advanced.
Chris
Hey Chris, sessions usually close/terminate by themselves after a short period when the browser closes. I believe if you're using tabs and you close one tab the session resides. I could be wrong.
That being said, its not quite possible to do so through PHP as PHP is a server side coding and when the browser is terminated the browser doesn't communicate with the server. So you may have to look into a javascript alternative if you need a full termination of cookies/sessions right at the moment of closing.
-Jerry
Hi, sorry for asking a basic question, but is it possible to redirect the users depending on their username to different webpages? Where is it set where the page redirects?
thanks
Rich
Very useful, thank you.