Multi-user system inahitaji:
User registration & login
Password hashing & verification
Role-based access control (RBAC)
Session management
Input validation & security
Goal: Ensure each user can only access data and functionalities they are authorized to.
βοΈ 2. Database Structure
CREATE DATABASE multi_user_system;
USE multi_user_system;
CREATE TABLE roles (
id INT AUTO_INCREMENT PRIMARY KEY,
role_name VARCHAR(50) NOT NULL UNIQUE
);
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL UNIQUE,
email VARCHAR(100) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
role_id INT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (role_id) REFERENCES roles(id)
);
-- Insert basic roles
INSERT INTO roles (role_name) VALUES ('Admin'), ('User');
𧩠3. User Registration (register.php)
<?php
session_start();
$pdo = new PDO("mysql:host=localhost;dbname=multi_user_system;charset=utf8mb4", "root", "");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['register'])){
$username = htmlspecialchars(trim($_POST['username']));
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$password = $_POST['password'];
$role_id = intval($_POST['role_id']);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$stmt = $pdo->prepare("INSERT INTO users (username, email, password, role_id) VALUES (:username, :email, :password, :role_id)");
$stmt->execute([
'username' => $username,
'email' => $email,
'password' => $hashed_password,
'role_id' => $role_id
]);
echo "β
Registration successful!";
}
?>
<form action="" method="POST">
<input type="text" name="username" placeholder="Username" required><br><br>
<input type="email" name="email" placeholder="Email" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<select name="role_id" required>
<option value="1">Admin</option>
<option value="2">User</option>
</select><br><br>
<button type="submit" name="register">Register</button>
</form>
𧩠4. User Login (login.php)
<?php
session_start();
$pdo = new PDO("mysql:host=localhost;dbname=multi_user_system;charset=utf8mb4", "root", "");
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['login'])){
$username = htmlspecialchars(trim($_POST['username']));
$password = $_POST['password'];
$stmt = $pdo->prepare("SELECT u.*, r.role_name FROM users u JOIN roles r ON u.role_id = r.id WHERE username = :username");
$stmt->execute(['username' => $username]);
$user = $stmt->fetch();
if($user && password_verify($password, $user['password'])){
// Secure session setup
session_regenerate_id(true);
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['role'] = $user['role_name'];
echo "β
Login successful! Welcome, ".$_SESSION['username'];
} else {
echo "β Invalid credentials!";
}
}
?>
<form action="" method="POST">
<input type="text" name="username" placeholder="Username" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<button type="submit" name="login">Login</button>
</form>
βοΈ 5. Role-Based Access Control Example
<?php
session_start();
if(!isset($_SESSION['user_id'])){
header("Location: login.php");
exit();
}
// Only allow Admins
if($_SESSION['role'] !== 'Admin'){
die("β Access denied. Admins only.");
}
// Admin content
echo "Welcome Admin ".$_SESSION['username'];
?>
π 6. Security Enhancements
Password hashing β use password_hash() and password_verify().
Session management β regenerate IDs, secure cookies.
Input validation & sanitization β prevent XSS/SQLi.
Role-based access control β restrict sensitive pages.
HTTPS enforcement β encrypt session cookies.
Optional: CSRF tokens for forms, login attempt limiter.
β
7. Hitimisho
Multi-user system requires authentication + authorization mechanisms.
Combine secure passwords, sessions, RBAC, input sanitization kwa full security.
Can be extended to activity logging, multi-level roles, na secure file access.
π Tembelea:
π https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, multi-user systems, na web application security.