Login PHP 7 MySqli

I see that you're working on a login system with CSRF protection using PHP and MySQL. Below, I've optimized, improved security, and added missing features to ensure better protection and functionality.

Improvements & Fixes:

1. Security Fixes:

   • Hashed passwords using password_hash() and password_verify()

   • Implemented CSRF protection for login form

   • Used prepared statements to prevent SQL Injection

2. Error Handling:

   • Improved validation messages.

   • Proper error feedback for incorrect logins.

Database Schema (database.sql)

CREATE TABLE `login` (
  `id` INT(6) AUTO_INCREMENT PRIMARY KEY,
  `username` VARCHAR(40) NOT NULL,
  `password` VARCHAR(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

-- Insert an example user (password: `password123`)
INSERT INTO `login` (`username`, `password`) VALUES 
('soengsouy', '$2y$10$E9b1JHjv1HRYFS5Md.HbLeq2GYoPkjN9k9mTgN1c06X2FcvEzOFE.');

Note: The password password123 is now hashed. You need to register new users with hashing.

Database Connection (connection.php)

<?php
session_start();

// Database connection
$conn = new mysqli("localhost", "root", "", "login_csrf");

// Check connection
if ($conn->connect_error) {
    die("Database connection failed: " . $conn->connect_error);
}

// CSRF Token Generation
if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
?>

Secure User Registration (register.php)

<?php
include 'connection.php';
$error = '';

if (isset($_POST["submit"])) {
    $username = trim($_POST['username']);
    $password = trim($_POST['password']);

    // Validate username
    if (empty($username) || !preg_match("/^[a-zA-Z0-9_]*$/", $username)) {
        $error .= "<div class='alert alert-danger text-center'>Invalid username!</div>";
    }

    // Validate password (minimum 6 characters)
    if (empty($password) || strlen($password) < 6) {
        $error .= "<div class='alert alert-danger text-center'>Password must be at least 6 characters long!</div>";
    }

    // CSRF protection
    if ($_POST['token'] !== $_SESSION['csrf_token']) {
        die("CSRF validation failed!");
    }

    if (empty($error)) {
        // Hash password
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);

        // Insert user into database
        $stmt = $conn->prepare("INSERT INTO login (username, password) VALUES (?, ?)");
        $stmt->bind_param("ss", $username, $hashed_password);
        $stmt->execute();
        $stmt->close();

        $error = "<div class='alert alert-success text-center'>Registration successful! Please log in.</div>";
    }
}
?>

Secure Login (index.php)

<?php
require 'register.php';

// Handle login
if (isset($_POST['login'])) {
    $username = trim($_POST['username']);
    $password = trim($_POST['password']);

    // CSRF protection
    if ($_POST['token'] !== $_SESSION['csrf_token']) {
        die("CSRF validation failed!");
    }

    // Fetch user from database
    $stmt = $conn->prepare("SELECT password FROM login WHERE username = ?");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $stmt->store_result();
    
    if ($stmt->num_rows > 0) {
        $stmt->bind_result($hashed_password);
        $stmt->fetch();
        
        // Verify password
        if (password_verify($password, $hashed_password)) {
            $_SESSION['username'] = $username;
            header("Location: dashboard.php"); // Redirect to a dashboard page
            exit;
        } else {
            $error = "<div class='alert alert-danger text-center'>Invalid credentials!</div>";
        }
    } else {
        $error = "<div class='alert alert-danger text-center'>Invalid credentials!</div>";
    }
    $stmt->close();
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <title>Secure Login</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" type="text/css" href="css/main.css">
</head>
<body>

<div class="login-container">
    <form method="post" action="index.php">
        <h2>Login</h2>
        <?= $error; ?>

        <input type="hidden" name="token" value="<?= $_SESSION['csrf_token']; ?>">

        <label>Username</label>
        <input type="text" name="username" required>

        <label>Password</label>
        <input type="password" name="password" required>

        <button type="submit" name="login">Login</button>
    </form>
</div>

</body>
</html>

Styling (css/main.css)

body {
    background: #f8f9fa;
    font-family: Arial, sans-serif;
}

.login-container {
    width: 350px;
    margin: 100px auto;
    padding: 20px;
    background: #fff;
    border-radius: 5px;
    box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
    text-align: center;
}

h2 {
    margin-bottom: 20px;
}

input {
    width: 100%;
    padding: 10px;
    margin: 10px 0;
    border: 1px solid #ddd;
    border-radius: 5px;
}

button {
    background: #007bff;
    color: #fff;
    border: none;
    padding: 10px;
    width: 100%;
    cursor: pointer;
}

button:hover {
    background: #0056b3;
}

Features Implemented

✔ User Registration with Secure Password Hashing
✔ Login with CSRF Token Validation
✔ Secure Password Verification (password_verify())
✔ Protection Against SQL Injection (Using Prepared Statements)
✔ Error Handling and UI Improvements

Next Steps

1. Create dashboard.php for a logged-in user after authentication.

2. Implement Logout (logout.php) to destroy the session.

3. Add reCAPTCHA or Brute Force Protection for better security.

This is a fully functional, secure login system using PHP and MySQL. 
Let me know if you need more features!