在此示例中，我将省略准备好的语句，但是您需要对SQL注入预防进行一些研究.

For this example I'm going to leave out prepared statements, but you'll need to do some research on SQL-injection prevention.

首先，您需要供用户使用的表单来登录. 这是一个基本的页面，将在名为NewUser.html的页面上显示:

First you need a form for the user to use to login. Here is a basic one that will be on a page called NewUser.html:

<form action="AddUser.php" method="POST">
<p>Enter A Username: </p>
<input type="text" name="User" maxlength="20" size="10">
<br />
<p>Enter A Password: </p>
<input type="password" name="Password" maxlength="40" size="10">
<br />
<p>Enter Password Again: </p>
<input type="password" name="PasswordX2" maxlength="40" size="10">
<br />
<input type="submit" value="Create Account">
</form>

您当然可以添加其他字段，例如电子邮件地址等，但我保持简单.

You can of course add other fields such as email address, etc- but I'm keeping it simple.

现在让我们转到AddUser.php页面:

Now let's go to the AddUser.php page:

<?php

//Now let's grab our $_POST data from our form and assign them to variables...
$User = $_POST['User'];
$PW = $_POST['Password'];
$PW2 = $_POST['PasswordX2'];

//Check whether user put anything in the fields for user or passwords
if (!$User || !$PW || !$PW2) {
echo "You have not entered all the needed info. Please try again.";
exit();
}

//Check if passwords match
if ($PW <> $PW2) {
echo "Your passwords do not match. Please go back and try again.";
exit();
}

//Now we want to be good stewards of passwords and information so let's hash that password
$hash = password_hash($PW, PASSWORD_BCRYPT);

//Open your connection to database
$dbconnect-> blah blah(make your database connection here)....

//Now let's insert the new user into the database - remember do not do this without SQL-injection prevention. I'm just giving you the basics.
$sql = "INSERT INTO UsersTable (UserName, Password)
VALUES ('".$User."', '".$hash."')";

//Verify Successful Entry
if (mysqli_query($dbconnect,$sql)) {
echo "User Added Successfully";
} else {
echo "Error Creating User: " . mysqli_error($dbconnect);
}

echo "<br /><p>Please go to the main page to login now.</p>";
?>

因此，现在已经创建了用户，密码已经用盐进行了哈希处理，然后插入到数据库中了……严重的请不要忘记SQL注入.

So the user has now been created, password has been hashed with a salt and inserted into DB... seriously don't forget SQL-injection.

现在，您将拥有一个与NewUser.html表单非常相似的表单进行登录，但是它不需要两次输入密码.假设登录表单会将用户引导至名为login.php的页面:

Now you'll have a form that is very similar to the NewUser.html form for logging in, but it won't require the password to be entered twice. Let's say that login form sends the user to a page called login.php:

<?php
session_start(); //starts a session for tracking user on each page - this has to be on every page

//Let's get our variables from the POST data- will be identical to before most likely
$User = $_POST['User'];
$PW = $_POST['Password'];

//Open your connection to database
$dbconnect-> blah blah(make your database connection here)....

//Let's see if the username and password matches what we have in the database
$sql = "SELECT UsersTable.UserName, UsersTable.Password
FROM UsersTable
WHERE UsersTable.UserName = '$User'";
$result = $dbconnect->query($sql);

//Let's get the hashed password that corresponds to that username
$row = $result->fetch_assoc();
$HashedPassword = $row['Password'];

//Let's verify the password is correct
if (password_verify($PW, $HashedPassword))
{

//if it is correct(true) this will now happen
$_SESSION['verified_user'] = $User; //registers user by storing it in a SESSION
}
else {
echo "Login failed. Try again.";
exit();
}
?>

只是一个提示，如果要添加访问级别，可以在数据库中存储一个具有访问号(例如:1、2、3)的位置，然后成功登录后，您将分配另一个代表其访问权限的$ _SESSION访问级别，并允许他们访问您允许的某些部分.

Just a tip, if you want to add access levels you can store a place in the database with an access number (ex: 1, 2, 3) and then upon successfully logging in you would assign another $_SESSION that represents their access level and gives them access to certain sections you allow.

现在，当他们导航到您网站上的其他页面时，他们的会话将通过以下方式进行验证:

Now when they navigate to other pages on your site their session will be verified like this:

ExamplePage.php

ExamplePage.php

<?php
session_start();

if (isset($_SESSION['verified_user'])) {
//User is verified and whatever is here will be visible and happen- YAY!
}
else {
echo "You are not logged in and cannot see this page.";
}
?>

只需养成在每个页面上启动会话的习惯，只有登录的用户才能访问该会话.会话会在页面之间被记住.

Just get in the habit of starting a session on every page where access is only allowed by those who are logged in. Sessions are remembered from page to page.

别忘了给他们一个注销页面，该页面将破坏会话:logout.php

Don't forget to give them a logout page which will destroy the session: logout.php

<?php
session_start();

unset($_SESSION['verified_user']);
session_destroy();
echo "You are logged out.";
?>