Implementing User Authentication and Authorization in PHP
This article explains how to implement user authentication and role‑based authorization in PHP, covering password hashing with password_hash/password_verify, database queries for credential verification, and conditional logic for granting access based on user roles, with sample code snippets illustrating each step.
When developing web applications, user authentication and permission control are essential for protecting privacy and system security. In PHP, these functions can be built using built‑in functions and simple conditional logic.
User authentication verifies a user's identity, typically by checking a submitted password against a stored hash. The following example demonstrates retrieving the stored hash from a MySQL database and validating the password with
// 假设用户提供的用户名和密码存储在数据库中<br/>$username = $_POST['username'];<br/>$password = $_POST['password'];<br/><br/>// 从数据库中查询用户名对应的密码哈希值<br/>$query = "SELECT password FROM users WHERE username = '$username'";<br/>$result = mysqli_query($connection, $query);<br/>$row = mysqli_fetch_assoc($result);<br/>$hashedPassword = $row['password'];<br/><br/>// 验证密码是否正确<br/>if (password_verify($password, $hashedPassword)) {<br/> // 密码正确,用户认证成功<br/> // 在这里可以设置用户的登录状态,如设置session或cookie等<br/>} else {<br/> // 密码错误,用户认证失败<br/>}to perform the verification.
Permission control restricts what resources and actions a logged‑in user may access. By checking the user's role stored in the database, the application can grant or deny access accordingly. The following snippet shows a typical role‑based check:
// 假设用户已经登录,并且登录状态存储在session中<br/>if (isset($_SESSION['user_id'])) {<br/> $userId = $_SESSION['user_id'];<br/><br/> // 查询用户在数据库中的角色<br/> $query = "SELECT role FROM users WHERE id = '$userId'";<br/> $result = mysqli_query($connection, $query);<br/> $row = mysqli_fetch_assoc($result);<br/> $role = $row['role'];<br/><br/> // 根据角色设置不同的权限<br/> if ($role == 'admin') {<br/> // 管理员拥有所有权限,可以访问所有页面和执行所有操作<br/> } elseif ($role == 'user') {<br/> // 普通用户只能访问部分页面和执行部分操作<br/> } else {<br/> // 其他角色没有权限访问页面和执行操作<br/> }<br/>} else {<br/> // 用户未登录,跳转到登录页面或其他处理逻辑<br/>}These examples are illustrative; real‑world applications should adapt the logic to specific requirements, possibly storing roles and permissions in dedicated tables or leveraging frameworks that provide built‑in authentication and authorization mechanisms. Proper design and implementation improve system security and user experience for web applications.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
php Courses
php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.