JINSI YA KUTENGENEZA SECURE LOGIN SYSTEM KWA PHP NA MYSQL (COMPLETE EXAMPLE)

Secure login system inapaswa kuwa na:

Password hashing – password_hash() na password_verify()

Prepared statements – kuzuia SQL injection

Session management – kudumisha authentication

Input validation & sanitization – kuzuia malicious input

⚙️ 2. Database Structure (MySQL)
CREATE DATABASE secure_login;

USE secure_login;

CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL UNIQUE,
email VARCHAR(100) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

🧩 3. Registration Page (register.php)
<?php
session_start();
$host = "localhost";
$db = "secure_login";
$user = "root";
$pass = "";
$dsn = "mysql:host=$host;dbname=$db;charset=utf8mb4";

try {
$pdo = new PDO($dsn, $user, $pass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e){
die("DB Connection failed: " . $e->getMessage());
}

if(isset($_POST['register'])){
$username = htmlspecialchars(trim($_POST['username']));
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$password = $_POST['password'];

if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
die("❌ Invalid email address.");
}

$hashed_password = password_hash($password, PASSWORD_DEFAULT);

$stmt = $pdo->prepare("INSERT INTO users (username, email, password) VALUES (:username, :email, :password)");
$stmt->execute([
'username' => $username,
'email' => $email,
'password' => $hashed_password
]);

echo "✅ Registration successful!";
}
?>

<form action="" method="POST">
<input type="text" name="username" placeholder="Username" required><br><br>
<input type="email" name="email" placeholder="Email" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<button type="submit" name="register">Register</button>
</form>

🧩 4. Login Page (login.php)
<?php
session_start();
$pdo = new PDO("mysql:host=localhost;dbname=secure_login;charset=utf8mb4", "root", "");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

if(isset($_POST['login'])){
$username = htmlspecialchars(trim($_POST['username']));
$password = $_POST['password'];

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $username]);
$user = $stmt->fetch();

if($user && password_verify($password, $user['password'])){
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
echo "✅ Login successful! Welcome, " . $_SESSION['username'];
} else {
echo "❌ Invalid credentials!";
}
}
?>

<form action="" method="POST">
<input type="text" name="username" placeholder="Username" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<button type="submit" name="login">Login</button>
</form>

⚡ 5. Logout Page (logout.php)
<?php
session_start();
session_unset();
session_destroy();
header("Location: login.php");
exit();

🔑 6. Security Enhancements

Prepared Statements – prevent SQL Injection.

Password Hashing – secure password storage.

Sessions – manage authenticated users.

Input Sanitization – prevent XSS or malicious input.

Optional: CSRF tokens, HTTPS, session timeout, and account lockout after failed attempts.

✅ 7. Hitimisho

This system demonstrates secure registration, login, and logout.

Combining password hashing, prepared statements, sessions, na input sanitization ensures strong security.

Can be extended with multi-level access, email verification, na CSRF protection.

🔗 Tembelea:

👉 https://www.faulink.com/

Kwa mafunzo zaidi ya PHP, secure login systems, na web application security.