Nov 162014
Article HTML

A web site that is going to offer a customized service for registered users need to implement a signup and login procedure. Validated users can then be granted access to functionalities that could eventually make use of specific user data, not available for anonymous users.

This post explains a possible implementation of this signup and login procedure in PHP

1. Signup form

The signup form must request as a minimum the user identifier and password that will be needed later for the user to login to the service. It is quite common to also request an email address, and this email address is more and more used as the user identifier.

The signup form may request some additional information: age, gender, address,… Some of these data may be optional and some other mandatory, depending on the type of service offered by the web site.

For instance, the following HTML code generates a form requesting an email address and password, and gives the option to subscribe to a newsletter:

This HTML code, together with some CSS style, generates a form:



2. Processing the signup form

When the “Sign Up” button is clicked, the content of the form is sent to the “register.php” script to be processed.

But before the form is sent to the server, in a production service it is common to add some kind of client-side validation (verify that the syntax of the email address is valid, the content of fields “Password” and “Confirm Pasword” match, the password has a minimum length, etc.). This validation is implemented by means of a javascript function attached to the “onsubmit” event that is triggered immediately before the form content is sent.

Nevertheless, it is advisable to perform again the validation on the server, as part of the process performed by the “register.php” script.

“register.php” can be implemented as follows:

2.1. Reading the form data received

The sample signup form above specified method=”POST”. Therefore, the values of the form fields are made available to the PHP script as elements in the $_POST array:

2.2. Performing validation of the input data

The most basic validation that can be done is testing that the password has a minimum length, and the confirmation password matches. It these tests fail, an appropiate message is printed:

Besides, it is a good partice to check that the syntax of the email address is correct. The standard PHP function filter_var can be used for this:

Note: filter_var() can also be used to check the validity of other field types, in case they are added to the form, using the appropriate flag: FILTER_VALIDATE_BOOLEAN, FILTER_VALIDATE_INT, FILTER_VALIDATE_IP, FILTER_VALIDATE_URL, etc. The list of available validation filter types can be consulted here

2.3. Inserting the user in the database

The list of registered users must be stored somewhere. In this guide we will assume that a table ‘users’ in a mysql database is used to keep this list.

The table ‘users’ has the following fields:

  • email  – email address. This field must be the primary key of the table, to avoid duplicates.
  • password – password
  • newsletter – set to true if the user wants to receive the newsletter
  • registration_date timestamp DEFAULT CURRENT_TIMESTAMP – signup date
  • activation_key – used to confirm the email address, as explained in 2.4.
  • validated – flag to indicate that the confirmation of the email address has succeeded

The registration procedure must check if the email address entered is already in the users table. If the email field is defined as the primary key of the userstable, this can be done at the time the user record is inserted, because the insert will fail with a “duplicate key” error if the user existed:

The function “generate_random_key()” generates a random, 32 characters long activation key. It  can be implemented as follows:

2.4. Sending a confirmation email

A confirmation email is sent to the email address entered, with a link that needs to be clicked to complete the signup process. A possible implementation of this can be done using the standard mail() function:

When the user receives the email and clicks on the link, the script “activate.php” is executed on the server. The activation key is passed as the value of the argument “activation”.

The script activate.php justs toggles the flag “validate” in the users table, starts a session, and display a confirmation message:

And that completes the signup procedure

3. Login form

The login form could just have two fields “email” and “password” that are sent to a “login.php” script. It is also common to add a link to recover or reset the password if it has been forgotten. This HTML code generates a sample login form:

With this code and some CSS style, the sample login form can look like this:



The “login.php” script must check that there is a matching entry in the users table for the email and password entered, and start a validated session:


 Posted by at 4:54 pm

 Leave a Reply