Here is the background, you have a database that contains a data table with a username (or email) column and password column. You want a user to input their credentials and validate the login. There are few concepts that are not unique to PHP but are universal to login validating.

The first concept is that you do not store a user's actual password in the database, instead, you encrypt the password through a process called hashing and store the resulting hash. Then whenever you validate a user's input, you compare the hashed value of the input to the hashed value of the stored data. This is to prevent somebody from stealing everyone's username and password. In PHP, there is the password_hash function to hash the password and then the password_verify function to compare the user input to the stored hash value. A benefit of PHP's password hash function is that it generates a random salt per hash, so that if someone attempts a brute force attack and they succeed, then they will only have data for one algorithm, not all the values stored in the database table.

The second concept is that you do not pass literal values in a SQL command, instead, you parameterize the query. This is to prevent somebody from manipulating the database via SQL injections. In PHP's PDO, there is the bindValue method.

Finally, while this codebank contribution assumes that you are using MySql, however one of the flexibilities of PDO is that you can specify the driver to the database that you are using. A list of supported drivers with their respective documentation can be found here: http://us3.php.net/manual/en/pdo.drivers.php

Here is the code for the PHP login validation:
PHP Code:
try {
  
// Database variables (change the literals to your specific values)
  
$dbHost 'My Host Name Here, localhost, 127.0.0.1 etc...';
  
$dbUsername 'My Host Name Here';
  
$dbPassword 'My Database Password here';
  
$dbName 'My Database Name Here';

  
/* Create connection
      This is where if you are not using MySql, you'd change the dsn */
  
$dsn "mysql:dbname=$dbName;host=$dbHost;charset=utf8mb4";
  
$db = new PDO($dsn$dbUsername$dbPassword);
  
$db->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
  
$db->setAttribute(PDO::ATTR_EMULATE_PREPARESfalse);

  
// Select 1 row, but all columns from the [users] table by the username column
  
$stmt $db->prepare("SELECT * FROM users WHERE email=:email LIMIT 1");

  
// Parameterize the query
  
$stmt->bindValue(':email'$_POST['email'], PDO::PARAM_STR);

  
// Execute the query and return the results into $row
  
$stmt->execute();
  
$row $stmt->fetch(PDO::FETCH_ASSOC);

  
// Ensure that a row was returned
  
if ($row) {
    
// Confirm that the hashed username matches input as well
    
if(password_verify($_POST['password'], $row['password'])) {
      
// Successful login
    
} else {
      
// Invalid password
    
}
  } else {
    
// Invalid username
  
}

  
// Explicitly close the connection
  
$db null;
} catch(
PDOException $ex) {
  
// debug mode, simply echo the exception
  
echo $ex->getMessage();