Authenticating Users

Example 10-4 shows the order.1 script that is used for logging into the winestore application. The script is based on Example 9-8 and Example 9-9 from Chapter 9. If the user isn’t logged in—which should always be the case unless the script is unexpectedly called—and no credentials have been provided from a previous login attempt, the script displays a login <form> to the user. When the user successfully logs in, the script redirects to the calling page that’s stored in the session variable referer; if referer isn’t set, it redirects to the home page.

When the user provides credentials—a username and a password—the script is re-requested through the <form> submission process. The script encrypts the password provided by the user and checks if this matches the password stored in the users table. If it matches, the user is logged in by registering the session variable loginUsername and unregistering any session variables associated with failed attempts to update customer details. The session variable loginUsername stores the user’s email address, which, as discussed earlier, is the same as his username. If the password is incorrect, an error is generated, and the login <form> is redisplayed so the user can try again.

The framework used here is typical of authentication in a web database application. However, possible improvements to the process can include limiting the number of failed login attempts, a password changing feature, a password reminder module—where ...

Get Web Database Applications with PHP, and MySQL now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.