Like Us on Facebook

How to prevent SQL injection in Registration and Login system in PHP MySQL

This post is about How to prevent SQL injection in Registration and Login system in PHP MySQL. So here I am going to share with you PHP Registration login logout and MYSQL connection. Here we also use session for login and logout. In this post I will discuss this step by step. This is very easy tutorials and most important tutorials, because every project you must need to do registration login and logout.

One more very important thing in this tutorial is SQL injection prevention. SQL injection is a code injection technique that used to login admin panel by the hacker. So from this tutorial you also prevent this SQL injection technique. You just need to follow these steps..


How to prevent SQl injection in PHP Mysql Login and Registration system UandBlog
 

The script contains two folders called adminpanel and css with seven PHP files.

index.php // Home Page

login.php // Submission Code

Conn.php // Database Connectivity

userReg.php // User Registration Page

subReg.php // Submission Registration Code

home.php // After login home page which is inside adminpanel Folder

logout.php // Destroy Your Session

adminpanel

css

 

 

index.php

This is main index page as well as login form. You can login into adminpanel in this area. But first you have to registerd yourself for login. Below form their is a link for registration.

From very first within PHP Code we have to start session and check is session enable or not ("if(isset($_SESSION['user_id']) && isset($_SESSION['username']))"). Is session enable then index.php page, redirect to adminpanel home so we write "window.location = 'adminpanel/home.php';". Otherwise index.php page open login form.

 
<?php
error_reporting(E_ALL && ~E_NOTICE);
session_start();

if(isset($_SESSION['user_id']) && isset($_SESSION['username']))
{
    
?>
    <script>window.location = 'adminpanel/home.php';</script>
    <?php
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
    <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
    <title>
How to prevent SQl injection in PHP Mysql Login and Registration system - UandBlog</title>
    <link rel='stylesheet' type='text/css' href='css/style.css' />
</head>

<body style="background-color:#CCCCCC;">

    <div id="page-wrap">  
        <div class="login-block" style="margin-left:300px; margin-top:100px;">
            <h3>User Login</h3>

           
<form action="login.php" method="post">

                <p><label for="ftp-user-name">User Name</label><input type="text" name="uname" required/></p>
                <p><label for="ftp-password">Password</label>
<input type="password" name="pass" required/></p>
                <p class="submit-wrap">
<input type="submit" class="button" value="Login" /></p>
                
                      <br/>
                    
<?php if($_SERVER['QUERY_STRING']=='err') { ?>
                      <div style="color:#FF0000; font-size:13px;">Username Password combination doesnot match.</div>
                    
<?php } ?>
                      
<?php if($_SERVER['QUERY_STRING']=='rc') { ?>
                      <div style="color:#006600; font-size:13px;">Registration Successful.</div>
                    
<?php } ?>
                     
                      
<?php if($_SERVER['QUERY_STRING']=='logout') { ?>
                      <div style="color:#006600; font-size:13px;">Logout Successful.</div>
                    
<?php } ?>
            
            
           
</form>

            <br  />
            <
a href="userReg.php">Not registered? Click Here</a>
        </div>
    </div>
   
   </body>
</html>
 

login.php

This is login part and most important part. Here first, you have to connect to your MYSQL DB. Get the value from previous page. And for SQL injection prevention we have to write "mysql_real_escape_string".

This is a syntex which is prevent SQL injection from hackers. In this page you also start the session and store the username to the session variable which is "$_SESSION['username'] = $uname;".

 
<?php
session_start();
include("conn.php");

$uname = mysql_real_escape_string($_POST['uname']);
$upass = mysql_real_escape_string($_POST['pass']);

$sql = mysql_query("SELECT * FROM userdetails WHERE userName='$uname' AND userPassword='$upass'");
if(mysql_num_rows($sql)>0)
{
    $_SESSION['username'] = $uname;
    $_SESSION['user_id'] = $fet['userId'];
?>
    <script>window.location = 'adminpanel/home.php'</script>

<?php    
}
else
{
?>
<script>window.location = 'index.php?err';</script>
<?php
}
?>
 

 

conn.php

This is database connectivity page.
 
<?php 

    error_reporting(E_ALL && ~E_NOTICE);
    $conn = mysql_connect("localhost", "root", "");
    if(!$conn) die("Failed to connect to database!");
    $status = mysql_select_db('login-sql-injection-php', $conn);
    if(!$status) die("Failed to select database!");

?>
 

userReg.php

This is user registration page.
 
<?php
error_reporting(E_ALL && ~E_NOTICE);
session_start();
if(isset($_SESSION['user_id']) && isset($_SESSION['username']))
{
   ?>
       
<script>window.location = 'adminpanel/home.php';</script>
    <?php
  }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
    <meta http-equiv='Content-Type' content='text/html; charset=UTF-8' />
    <title>
How to prevent SQl injection in PHP Mysql Login and Registration system - UandBlog</title>
    <link rel='stylesheet' type='text/css' href='css/style.css' />
 </head>

<body style="background-color:#CCCCCC;">
    <div id="page-wrap">
        <div class="login-block" style="margin-left:300px; margin-top:100px;">
            <h3>
User Registration</h3>

            <form action="subReg.php" method="post">
                <p><label for="ftp-user-name">User Name</label><input type="text" name="uname" required/></p>
                <p><label for="ftp-password">
Password</label><input type="password" name="pass" required/></p>
                <p class="submit-wrap">
<input type="submit" class="button" value="Submit" /></p>
           </form>

            <br  />
          
 <a href="index.php">Already registered? Click Here</a>
        </div>
    </div>
    
</body>
</html>
 

subReg.php

User details submit to the MYSQL database.
 
<?php
session_start();
include("conn.php");

$uname = mysql_real_escape_string($_POST['uname']);
$upass = mysql_real_escape_string($_POST['pass']);

mysql_query("INSERT INTO `userdetails` (`userName` ,`userPassword`) VALUES ('$uname',  '$upass')");
    
?>
<script>window.location = 'index.php?rc'</script>
 

 

home.php

If someone login successfully then the user redirect to this page. Here the user see his own user name and also can logout from this adminpanel.

 
<?php

session_start();
include("../conn.php");
if(!isset($_SESSION['user_id']) && !isset($_SESSION['username']))
{
?>

<script>
window.location.href='../index.php';
</script>

<?php
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Adminpanel - How to prevent SQl injection in PHP Mysql Login and Registration system - UandBlog</title>
</head>

<body>


<div style=" width:700px; margin:0 auto; background:#666666; padding:20px;">
<h2 style="text-align:center;">
<a href="logout.php" style="color:#FB987B; text-decoration:none;"><?php echo $_SESSION['username']; ?> (Logout)</a></h2>
<h6 style="text-align:center; color:#FFFFFF; font-size:40px;">
Logged in successfully</h6>
</div>

</body>
</html>
 

logout.php

For logout you just have to destroy the session which has been created login.php.
 
<?php
session_start();
session_destroy();
?>

<script>window.location = '../index.php?logout';</script>


style.css

* { margin: 0; padding: 0; }
body { font: 14px Georgia, serif; }
#page-wrap { width: 960px; margin: 0 auto; }

h3 { margin: 20px 0 10px 0; }

.login-block {
    float:left;
    margin:0 49px 25px 0;
    text-align:center;
    width:260px;

}

.login-block form {
    -moz-border-radius:15px;
    -moz-box-shadow:0 0 10px #333;
    -webkit-border-radius: 15px;
    -webkit-box-shadow: 0 0 10px #333;
    border:3px solid white;
    padding:20px;

}

.login-block .active-form {
    border-color:#d09e6d;
}

.login-block form p {
    margin:0;
    text-align:left;

}

.login-block label {
    color:#7C6767;
    font-size:14px;

}

.login-block input[type="text"], .login-block input[type="password"] {
    border-color:#EEEEEE #CCCCCC #CCCCCC #EEEEEE;
    border-right:1px solid #CCCCCC;
    border-style:solid;
    border-width:1px;
    font-size:15px;
    margin:0 0 15px;
    padding:5px;
    width:200px;

}

.login-block a.button {
    text-decoration:none;
}

.login-block input[type="text"]:focus, .login-block input[type="password"]:focus {
    border-color:#555555;
}

Posted By UandBlog

UandBlog is a Global Leading source of Finance, Health, Lifestyle, Technology, Gaming and Programing and other information, it is a fastest growing blog for all , for latest post or information like us on facebook , follow on Twitter, Google+ and Pinterest.

Comments ( 0 )

    Leave a comment..

    Click to login.