How to check user login behavior in PHP

In website development, login is an essential function. This article will introduce how to check the user's login behavior in PHP.

1. Basic concepts of checking user login
1.1 User identity authentication
User identity authentication generally refers to checking whether the user name and password entered by the user match the data stored in the system. The username and password entered by the user usually require some basic checks on the client (browser), such as whether the username is empty or whether the length meets the requirements.

1.2 Session Control
Session control refers to using some mechanisms to ensure that users can maintain their logged-in status when entering various pages of the website after the user successfully logs in. In PHP, session control can be achieved through session technology.

2. Code implementation for checking user login in PHP
Code implementation for checking user login in PHP, usually on the user login page, accepts the user name and password entered by the user, and checks its legality in the background . Here is a simple example:

index.php (login page)

<!DOCTYPE html>  
<html>  
<head>  
<meta charset="utf-8">  
<title>用户登录</title>  
</head>  
<body>  
<form action="login.php" method="post">  
<label>用户名：</label><input type="text" name="username" required><br>  
<label>密码：</label><input type="password" name="password" required><br>  
<input type="submit" value="登录">  
</form>  
</body>  
</html>

login.php (login check page)

<?php  
session_start();    // 启用 session  
$username = $_POST[&#39;username&#39;];    // 获取用户输入的用户名  
$password = $_POST[&#39;password&#39;];    // 获取用户输入的密码  

if ($username == &#39;admin&#39; && $password == &#39;123456&#39;) {    // 假设 admin 为合法用户，密码为 123456  
    $_SESSION[&#39;username&#39;] = $username;    // 存储用户名到 session 中  
    header(&#39;Location: welcome.php&#39;);    // 跳转到欢迎页面  
} else {  
    echo "用户名或密码错误，请重新登录。";  
}  
?>

welcome.php (welcome page)

<?php  
session_start();    // 启用 session  
if (isset($_SESSION[&#39;username&#39;])) {    // 判断是否已登录  
    echo "欢迎" . $_SESSION[&#39;username&#39;] . "登录成功！";  
} else {  
    header(&#39;Location: index.php&#39;);    // 如果未登录，跳转回登录页面  
}  
?>

In the above example, when the user enters the username and password on the login page and submits the form to the login.php page, this page will perform verification. If the username and password are correct, they will be stored in the session and Jump to the welcome page welcome.php. In the welcome page, it will check whether the user is already logged in. If so, the welcome message can be displayed, otherwise the user will be redirected back to the login page.

3. PHP check login techniques
3.1 Protect password
In order to protect the user password from being leaked, it generally needs to be encrypted and stored. In PHP, passwords can be encrypted using the md5() function or the sha1() function. For example:

$password = md5($_POST['password']);    // 将密码用 md5() 函数加密后存储

3.2 Preventing CSRF attacks
CSRF (Cross-site request forgery) attack means that the attacker pretends to be a user and sends a request to the server by forging a user request. Generally speaking, in order to prevent CSRF attacks, you can add a randomly generated token to the form and then check its validity in the background. For example:

index.php (login page)

<!DOCTYPE html>  
<html>  
<head>  
<meta charset="utf-8">  
<title>用户登录</title>  
</head>  
<body>  
<form action="login.php" method="post">  
<input type="hidden" name="token" value="<?php echo uniqid(); ?>">     <!-- 添加随机 token -->
<label>用户名：</label><input type="text" name="username" required><br>  
<label>密码：</label><input type="password" name="password" required><br>  
<input type="submit" value="登录">  
</form>  
</body>  
</html>

login.php (login check page)

<?php  
session_start();    // 启用 session  
$username = $_POST[&#39;username&#39;];    // 获取用户输入的用户名  
$password = $_POST[&#39;password&#39;];    // 获取用户输入的密码  

if ($_POST[&#39;token&#39;] !== $_SESSION[&#39;token&#39;]) {    // 检查 token 是否合法  
    echo "非法请求！";  
} elseif ($username == &#39;admin&#39; && $password == &#39;123456&#39;) {    // 假设 admin 为合法用户，密码为 123456  
    $_SESSION[&#39;username&#39;] = $username;    // 存储用户名到 session 中  
    header(&#39;Location: welcome.php&#39;);    // 跳转到欢迎页面  
} else {  
    echo "用户名或密码错误，请重新登录。";  
}  
?>

3.3 Preventing XSS attacks
XSS (Cross-site scripting ) attack refers to an attacker stealing user information or achieving certain damage by injecting certain malicious code. In order to prevent XSS attacks, you can use the htmlspecialchars() function to process user input. For example:

$username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');    // 对用户名进行处理

4. Summary
This article introduces the basic concepts and code implementation of checking user login in PHP, as well as some techniques to prevent CSRF and XSS attacks. In the actual development process, corresponding adjustments and optimizations need to be made according to specific circumstances.

The above is the detailed content of How to check user login behavior in PHP. For more information, please follow other related articles on the PHP Chinese website!