PHP Login System Reloaded v1.1

Here’s an updated version of the PHP Login System. You can check the old version here. The following was added: 1. Registration fields: email confirmation password confirmation country recaptcha Email confirmation and password confirmation are configurable fields. By default they are shown, but if you wish to remove one or both of them you have […]

From our sponsor: Ship fast and never break a thing with Shortcut (formerly

PHP Login System

Here’s an updated version of the PHP Login System. You can check the old version here.

The following was added:

1. Registration fields:

  • email confirmation
  • password confirmation
  • country
  • recaptcha

Email confirmation and password confirmation are configurable fields. By default they are shown, but if you wish to remove one or both of them you have to set it in the file constants.php:


2. Table fields:

  • the user ip,
  • number of logins of a user,
  • flag is_admin
  • flag is_blocked
  • new table – Country table

3. dbcontroller class sanitizes user input data

4. Edit Account Area

5. Admin Area – incomplete (for next version)

For now just the list of users is shown and a world map indicating where the users come from.  You can delete Users and set them as Admins. If there are no users to list, no map is shown. Also the User seeing the panel is not shown.
Note that in the demo you will not be able to see the admin part – for admin reasons 🙂

6. New CSS

7. Some other small details in the php code.

For the next version I am planning to :

  • add all admin functions
  • improve and improve ….

To use the recaptcha you need to get a public/private key here . Then you need to define them in constants.php:


In order to use the demo for those who have registered in the previous version’s demo, you need to register again (in the demo login system), since I had to set up another database for it.

Hope you like it. Any suggestions or improvements are welcome!


Download the source code here

Tagged with:


Chadking is an absolute geek that rarely leaves the comfort of his 3-screen desk. He is a self taught programmer and is addicted to all possible legal drugs.

Stay up to date with the latest web design and development news and relevant updates from Codrops.

Feedback 287

Comments are closed.
  1. excellent chad, that worked 🙂

    thank you so much 🙂

    Last time i used php i didnt need that, same with the $_POST ones too.

    I feel like ive gotta learn it all all over again :S

  2. Hi,
    I already included the new captcha (recaptcha) and the possibility for an admin to add others as admins and/or to remove Users from the system. I didn’t do a new version/post out of this because it was a small change (I didn’t have much time). Please read again this post cause I explain there how to integrate the captcha field.
    I will try to post a new version next week!

  3. First I would like to say this is a great script, and I have been able to make it work as is. I am a complete newb, so please excuse my lack of knowledge on this… but the existing folder structure has the index under public_html. If this is the case, does this make all of the other files/folders unaccessible through a web browser? Or do i need just to rename the public_html to …say a login directory and update all of the other scripts to point to the new login folder?
    The ‘so called” problem that I’m facing is that I want to add this script to existing page, and the whole public_html is messing me up. I apologize for such a basic question, but any help from the forum members would be much appreciated.

    • Hi Joe, thanks.
      I read something about security that suggests such a structure. Also the scripts/css/images should be inside of public_html/. I didnt do that, I still need to update that point.
      I cant remember the site from where I downloaded this document that I ‘m talking about so here’s the excerpt:
      “Normally, pages ending with .php will be handled forwarded to PHP by Apache and therefore the code will be hidden from the users. That the source code is hidden is one of the things that characterizes server-side scripting languages such as PHP. However, the PHP module or Apache might fail and the code might be displayed in plain unparsed text to the user. This is de nitely not good. First of all, if the source is visible then it is much easier to nd security issues in your application. Additionally, some scripts contain con guration les within the document root (the directory in which all les and sub-folders are publicly accessible from the outside world) and those will obviously not be parsed either thus presented to the user if they enter the lename into the URL. Personally I have experienced this before where I was on a small website and suddenly a miscon guration of some sort displayed the source code to me. The website used a widely used application and I happened to know where the con guration le was. Sure enough, I was able to view that as well and from that I gathered the root password for the server (bad security practice to use the same password for multiple purposes and it is also bad security practice to use the root MySQL user). Being a nice person I did not do anything with it, but other people might not be as nice as I am and if you have the root password for a server then you can essentially do anything with it. Another instance of this is the popular website Facebook which you have probably heard about in some way or another. What I explained before (server miscon guration resulting in leaked source code) also has also happened to Face-book. Even big companies with people paid to con gure the server apparently sometimes screws up and therefore it is necessary to take some security pre-cautions in order to prevent source leakage if something like that should ever happen (something Facebook apparently did not). It all has to do with how you layout your directory structure. So, all les within the document root can be retrieved by the user. Therefore we might as well move everything else out of there so people cannot directly access it. This means we might have index.php and some static les such as CSS, Javascript and images laying inside the document root. We can even take it further and do so the only thing that is in index.php is the following:
      <?php require '../public_index.php'; ?>
      That particular snippet is the only thing the user will ever be able to see should something happen. So we might have a directory structure that looks like this:

      public_html <-- document root /index.php /media /images /javascript /css config cache tmp public_index.php logs By laying out your files in this manner you will prevent that people will see things they are not supposed to see. It is easy to do so there is no reason why you would not." If you don't want to use that structure, then just move the index.php one folder up to the root, and delete the public_index.php. The boring part is that you need to change in almost all files the reference to index.php instead of public_html/index.php. Greetings

  4. Dear CHADKING,

    Just to let you know that you did a great job.
    Your code is very clean and clear.

    I was starting to modify your code to add some admin features, but I noticed that you’ll be adding a few of them soon. I prefer waiting for the new version rather than messing up with your original code.

    Can’t wait for next week to play around with v1.2.


    Thanks for the reply. That totally makes sense for security purposes. How are you handling the resetpassword and confirmation links in the constants.php file? …Are you just making a include statement to point back to those? Like I said I’m a newb and I’m sorry if these questions sound silly.


    Okay here I go again…. I think my problem is, unless I include this file structure as is, under my servers public_html, I can not run as intended…. I think the script refers the…. after I’m logged in, and go to log out I get The requested URL /php/corecontroller.php was not found on this server. I think I can make it work, but the files/folders will not be behing my servers public_html folder….. Am I just overlooking something simple?

    • Joe,
      The links in constants.php like any other variable there defined, can be used anywhere as long as you include the constants file. In this case it’s being included in dbcontroller.php.
      About the structure, I can’t tell you cause I didn’t try by myself to mount it like that. I will try that structure next time I deploy the script. Meanwhile, if you manage to do so, please post it here…

  7. Pingback: Tweets that mention PHP Login System Reloaded v1.1 | Codrops --

  8. Thanks for the terrific scripting chadking!! I got it up and working in only minutes. And two days later had it completely integrated with my site and other databases.

    I am not sure that i agree with your security solutions, however. Having virtually the entire site outside of docroot opens endless security concerns by opening the entire OS to possible attacks, while by-passing all of (in my and most cases) apache’s safety procedures. Although it may be ok to use such a layout on one’s own private server, i think most of us here are hosted on a virtual server with 0000000’s of sites running off a single host. A security breech could bring them all down.

    I have added the following lines to my .htaccess file:
    Options -Indexes
    DirectoryIndex /index.php
    ErrorDocument 404 /
    ErrorDocument 403 /
    Would you suggest others?

    Again, thanks for the great code!!!

  9. ::Correction::
    my .htaccess is :
    Options -Indexes
    DirectoryIndex /public_html/index.php
    ErrorDocument 404 /
    ErrorDocument 403 /

    I have all the code in docroot.

  10. Hi Chad,

    when are u posting the latest version of the login system?

    Thanks, eagerly waiting.

  11. When viewing index.php on localhost I get
    Parse error: syntax error, unexpected ‘}’ in C:\xampp\htdocs\folder\login\register\index.php on line 100

    lines 99-102 of register/index.php are:

    I tried deleting/commenting out the bracket but that did not work…

  12. sorry your system won’t show the code with the php brackets.

    line 100-101 of the register/index.php is:


    I tried reversing the bracket and adding a closing bracket but got an error message on the registration page about already being registered even when I dropped and re-created the user table…

  13. Chad

    Thanks for your immediate response. I added “php” to the <? on line 20 and that fixed it.

  14. This script looks nice. I have downloaded it and will try it shortly. Although, I may wait until the weekend is up to see if you publish an updated version.

    “…I will try to make some update this weekend.” – Chadking 07/10/2009 at 18:13

    I usually make one include file containing the db access info and any hash values, random seeds, etc. This file I store off-site – i.e. out of the public HTML access area.

    Thank you for this nice piece of work.


  15. Great script but I’m having a few problems – I found that with the resetpasswordhash field set to not null the site wouldn’t work but have now got to the point where I can get the confirmation email but if I click on the link it reboots my apache service (apache 2.2 running on win XP) but without leaving any error messages.