PHP login and registration script

Access_user Class is an easy to use system for protecting pages and register users. They main features are: User-login, user registration, user update, remember login information, page protection, forgotten password recovery, mail based account activation and multi language message reporting and since the latest versions: maintain extra user profile information, access levels, a limited (safe) admin panel, manual account activation and an improved password check. The class is powered by MySQL and PHP sessions. Inside the package are examples for all primary methods. Since version 1.92 custom session handler are supported.

PHP Script Download

Documentation and support

All update information - Post here your questions and suggestions.

Related forum posts


This class requires a PHP enabled Apache (virtual) host. I tested this class with PHP 4.3(5.1) and MySQL 3.23(4.1) on Windows and Linux. I never tested this class with IIS. If you want to use this class on Windows / IIS than you have to be sure that the server variable DOCUMENT_ROOT is available. You can test this while using this code on your web host:

  • echo getenv("DOCUMENT_ROOT");

If you can't see the document path, then this class will not work out of the box. I'm sure it is possible to change all paths but there is no information about on this page or inside the files.

For windows user using this class on a localhost:

You need a mail server program to run some of the scripts (register.php, forgot_password.php and update_user.php)

Database selection

By default the database is not selected with the PHP function mysql_select_db() and the database name is in front of the table name. It's possible that your server doesn't allow the database name inside a query, if this forms a problem then don't use them there and unescape the mysql_select_db() function inside the connect_db() method.


  • Use the "users_table.sql" file to create your MySQL table.
  • Since version 1.92 it's possible to safe the session data inside your MySQL database (is more safe on shared hostings)
  • Create a file called db.php (I place it into the folder classes which is one above the root), add this code with your database connection parameters:
    define("DB_SERVER", "localhost");
    define("DB_NAME", "database");
    define ("DB_USER", "user");
    define ("DB_PASSWORD", "password");
  • Most important, change all important pathes...
    • APPLICATION_PATH: the directory where your scripts are placed
    • CLASS_PATH: this path is dynamic, use it if all files are inside the same directory
    • ... or use your own ones (only needed for LOGIN_PAGE, START_PAGE and ACTIVE_PASS_PAGE)
  • To fit the exsiting path structure in all example files you have to create two folders:
    • the first "classes" is above your document root...
    • ...the second "access_user" is inside the classes folder.
  • Place the class- and config file inside "access_user" folder.
  • After this you can use all example files (except the three files defined inside the config file) on different locations from your site.

How does it work?

  • Run the register.php in your web browser and enter the first user into your database.
  • After succesfull registration you will get an confirmation mail,
    • activate and confirm your acoount and you can enter the protected pages
    • use the manual activation status and the site admin have to activate each single account.
  • Login and you have assess to the update page where it's possible to modify the user information.
  • If you change the e-mail address you get a new confirmation e-mail, activate the new address with the given link.
  • Click on log out or exit you browser to end the session.
  • If you have forgotten the password and or login, you can use the e-mail address to get a reminder message.

How to use?

Remember, all example files are full working. The next documentation is only to explain what the methods / variables exactly do.

A note about the usage of the "automatic login" feature: If a cookie is saved on the client side, the user doesn't need to login (new in version 1.94)


Find in this file a form with to text fields one for the login and one for the password. These entries will be validated before you can enter the protected area.
I use this page as the target for the account activation process, too.
Important: If you use the feature "Visitor count", the table field extra_info can't be used for other information!

Note: Since version 1.92 if the login cookie function is used, the recovered (encrypted) password inside the password form field is always 32 chars long. This is not a problem, the script can handle that.

Important methods and variables on this page:

  • $my_access->save_login // use a cookie to remember the client login, possible values are "yes" or "no"
  • $my_access->count_visit = true // if this is true then the last visit date is saved in the database (field extra_info)
  • $my_access->login_user($user, $password) // call the login method
  • $my_access->activate_account($activate_key, $key_id) // the account activation method
  • $my_access->validate_email($validation_key, $key_id) // (updated) e-mail address validation

This class can be used in two modes:

  • automatic account activation
  • account activation by admin (check the default account details beneath)

If you want to disable the automatic activation feature, use this variable inside the login script: $my_access->auto_activation = false; // (true/false) or set this boolean inside the class file.


If you use the setting USE_MYSQL_SESSIONS inside the config file you need a logout page without class object to clear the old session data from the database.


The register.php file is a regular form with fields for login, password, e-mail, real name and for extra information. My suggestion is, removing the last field and using instead the extra info field for information like: language, register date, customer number etc. To register a new user only one method required:

  • $new_member->register_user($first_login, $first_password, $confirm_password, $first_name, $first_info, $first_email)

Of course there are also standard variables for error messages and to switch messages in different languages (like in the other examples).


Use this example where the user can update his information like: e-mail, password, extra info and his real name. The login name is unique and can't be changed. If the user changed his e-mail address a confirmation mail is send to his new address and the old one is active until he confirmed the new one. The user can change his password if he let the password field empty, the password will not be changed. Methods for this example are:

  • $update_member->access_page() // protect this page too.
  • $update_member->get_user_info() // call this method to get all the user information
  • $update_member->update_user($new_password, $new_confirm, $new_name, $new_info, $new_mail) // the update method


If a user forgot his password and/or login he can request a reminder mail. Using this file the user fills the form field with the e-mail address which is used during registration. After submitting the user get a mail with a link to the (next) file where you can (re)enter a new password. Only one method is required (the error message functions as a important option):

  • $renew_password->forgot_password($forgot_email) // call the method with the entered mail address as property


If the user use the link inside the mail he got, he will reach this page. On this page the user have the option to enter a new password for his account. After submitting this new password the user can use it in the login form.

  • $act_password->check_activation_password($controle_str, $id) // this will check the query string for valid data
  • $act_password->activate_new_password($new_pass, $new_confirm, $old_pass) // this update the record with the new password

I put the activation string into a session in place of a hidden field.


Use the code from this file in all pages you want to protect. I use this file to link to protected pages like "update_user.php". Notice these methods and variables:

  • $page_protect->access_page() // only set this this method to protect your page!
  • $page_protect->log_out() // the method to log off (optional)


I created this optional page to show how this class take care of previous pages if the user have to login first.

  • $test_page_protect->access_page($_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING']) // set this method, including the server vars to protect your page and get redirected to here after login

Use this method the same like before, except that you enter these two server variables.


This file is an example to test the access level from a user. Find the link on the example.php page.

  • $test_access_level->access_page($_SERVER['PHP_SELF'], "", 5) // the last parameter is the value of the access level. Configure the levels inside the db_config.php file.


This file is also an extenstion, with this file it's possible to change user data like the password (reset), email address, activation status and access level.

Use the example record to admin users (after installation): user: administrator / password: welcome

  • $admin_update->get_userdata($for_user, $type = "login"); // obtain the user data to show in the admin form ($type is used to select dat by "id" or "login"
  • $admin_update->update_user_by_admin($new_level, $user_id, $def_pass, $new_email, $active, $confirmation = "no"); // with this method only a few data can be updated by the administrator. The last parameter is used to send a conformation mail
  • $admin_update->access_level_menu($curr_level, $element_name = "level") // a simple select menu will show the min - max value of the access levels