In our application, we can check the username and password obtained from the login form against the authentication details in the database; if we find a matching row, the user is authorized to access the system. Given the limited need for security in our application, we can reasonably have it automatically register new users the first time they enter their authentication details. The next time they visit, the application will authenticate them against the stored data.

Before trying to authenticate the user, we can check to ensure that the entered username and password aren’t too short; in general, the longer the authentication strings, the harder they are to subvert by a malicious user. If either the username or the password are less than four characters long, we redirect the browser to the login page with an appropriate error message:

// Check that the username and password are each at least three
// characters long.
if( (strlen($username)<4) ||
 (strlen($password)<4) )
{
 // No, they're not; create an error message and redirect
 // the browser to the index page to display the message
 $message = "Please choose a username and password that are ".
  "at least four characters long";
 header("Location: index.php?message=" . urlencode($message));
 exit;
}

Once we’re happy with the length of the username and password, we can check whether the username already exists in the database; if it does, we check to see whether the provided password is correct. If no such username ...