Create a Secure Login Page in PHP

Jan 26, 2023 brute-force attack, login page, password hashing, PHP, prepared statements, programming, security, session management, SQL injection, user authentication, web application, web development

Learn how to create a secure login page in PHP by following best practices for preventing common security vulnerabilities. Discover how to use prepared statements, password hashing, and session management to protect your website or application from SQL injection, brute-force attacks, and other security threats. Get started building a safe and secure login page for your PHP project today

Here are some general best practices for writing a secure login page script in PHP:

Use prepared statements and parameterized queries to prevent SQL injection attacks.
Hash and salt passwords before storing them in the database, and use a secure hashing algorithm like bcrypt or argon2.
Use HTTPS to encrypt data in transit and prevent man-in-the-middle attacks.
Implement rate limiting to prevent brute-force attacks.
Use a secure session management system that regenerates session IDs after login to prevent session hijacking.
Validate input data to prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.
Use a CAPTCHA or other form of challenge-response test to prevent automated login attempts.
Use a secure cookie to store the session ID, and set the “secure” and “HTTPOnly” flags.

Here is an example of a simple, but not secure, login page script in PHP:

<?php
// connect to the database
$db = mysqli_connect('host', 'username', 'password', 'database');

// check if the form has been submitted
if (isset($_POST['submit'])) {
// get the form data
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);

// check if the user exists in the database
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
// login successful
$_SESSION['username'] = $username;
header('location: index.php');
} else {
// login failed
echo 'Invalid login';
}
}

It is important to note that this example is not secure, it needs to be implemented with other security features to make it safe.

Here is an example of a secure login page script in PHP that incorporates some of the best practices I mentioned earlier:

<?php
session_start();

//connect to the database using PDO
$dsn = "mysql:host=host;dbname=database;charset=utf8mb4";
$options = [
PDO::ATTR_EMULATE_PREPARES => false, // turn off emulation mode for "real" prepared statements
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, //turn on errors in the form of exceptions
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, //make the default fetch be an associative array
];
try {
$pdo = new PDO($dsn, "username", "password", $options);
} catch (Exception $e) {
error_log($e->getMessage());
exit('Something weird happened'); //something a user can understand
}

// check if the form has been submitted
if (isset($_POST['submit'])) {
// get the form data
$username = $_POST['username'];
$password = $_POST['password'];
// check if the user exists in the database
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $username]);
$user = $stmt->fetch();
if ($user) {
//verify the password
if (password_verify($password, $user['password'])) {
// login successful
$_SESSION['username'] = $username;
header('location: index.php');
} else {
// login failed
echo 'Invalid login';
}
} else {
// login failed
echo 'Invalid login';
}
}

In this example, I am using PDO (PHP Data Objects) extension to connect to the database, which provides a secure way to interact with the database. I am also using prepared statements to prevent SQL injection attacks. The password is verified using the password_verify() function, which is a built-in function in PHP for checking hashed passwords. This function uses a secure algorithm and salt internally.

It is also recommended to use a php framework that has built-in security features like CodeIgniter, Laravel, or Symfony. These frameworks have been built with security in mind and provide a lot of useful security features out of the box, such as user authentication, built-in rate limiting, and CSRF protection.

It’s important to note that this is a basic example and you should always consider other security measures like rate limiting, IP blocking, use of HTTPS, and use of secure session management.