Hacking with PHP has been updated for PHP 7 - click here! >>

Dynamic authentication

A far better method to authenticate users is to compare their credentials to a members database table. By storing all your data in a database, you can easily add, edit, and revoke access permissions using PHP pages and a little SQL.

Execute this query at your MySQL prompt to create the table necessary to store our authentication details:


Even if you skipped the chapter on databases, you should be able to make out that the above command will create a table named "userauth" which contains three data fields in each row - an ID integer, a variable length character field "Username", and a variable length character field "Password" - just enough information to authenticate users. The ID is there to identify rows uniquely; we can refer to an authenticated user as a number, rather than as a user and password.

To allow users to add themselves to the authentication list, create a new file, addauth.php, and enter the following code:

    if (isset($_POST['username'])) {
        $db = mysqli_connect("localhost", "phpuser", "alm65z", "phpdb");
        $username = mysqli_real_escape_string($db, $_POST['username']);
        $password = mysqli_real_escape_string($db, $_POST['password']);
        mysqli_query($db, "INSERT INTO userauth (Username, Password) VALUES ('$username', '$password');");
        print "Welcome to the system, {$_POST['username']}!";
    } else {
<form method="post" action="addauth.php">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value=" Add User ">

<?php }

Note that I am using the database "phpdb". You may need to create this - use "create database phpdb;" from the MySQL command prompt.

With a call to mysqli_query() near the top of the script, the new username and password is inserted into our table and a short confirmation message is sent back to the client.

Try running the script just by itself - you can monitor changes to your userauth database table from the MySQL command line by using the MySQL command

SELECT * FROM userauth;

Now that users can be dynamically added using addauth.php, let's modify our original auth.php script to check input against what we have in our database.

// amend the following line
if (($_SERVER['PHP_AUTH_USER'] == 'paul') && ($_SERVER['PHP_AUTH_PW'] == 'hudson')) {
// to this...
$db = mysqli_connect("localhost", "phpuser", "alm65z", "phpdb");
$username = mysqli_real_escape_string($db, $_SERVER['PHP_AUTH_USER']);
$password = mysqli_real_escape_string($db, $_SERVER['PHP_AUTH_PW']);
$result = mysqli_query($db, "SELECT ID FROM userauth WHERE Username = '$username' AND Password = '$password';");

if (mysqli_num_rows($result)) {

Rather than comparing the username and password to prewritten values, we now check whether they are found in our userauth table. If mysqli_num_rows($result) returns one or more rows, it means we have at least one member with the credentials provided, so we should allow them access.


If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Sending mail >>

Previous chapter: Authentication over HTTP

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.