Hey guys so I spent some time creating a Register/Login script, and I want you guys to come check it out! Its probably one of the easiest register login script you'll use, its clean coding and easy to adjust to your website. All you have to do is insert that .sql into your database and edit the database configurations, and its all in 1 file!. I made a small simple website for you guys to download it, if you guys turn out to enjoy it I am looking forward to extending it. Please give me feedback on what you think of the script and some ideas of how to improve it, thanks!
Here is the website to download it:
http://codingshare.site88.net/
PHP Register/Login
Moderator: General Moderators
Re: PHP Register/Login
The two most significant problems are
1. SQL injection in all your queries
2. Storing passwords in plaintext
1. SQL injection in all your queries
2. Storing passwords in plaintext
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: PHP Register/Login
Those two are probably the biggest. I would recommend not only saving hashed passwords; I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.
After that, a bunch of little things. Here are a few:
- Move the database code into a separate file with its own class with connect(), find() and insert() methods. Then if someone wanted to use a different database adapter they could easily.
- Separate the display stuff from the actual login code. Maybe put the login code in a class to namespace it.
- Style your login form with CSS classes to make it easier to customize. Wrap fields in <div> to improve customzation. Maybe put messages in variables to make it easy to customize.
- Clean up your if() logic to make it easier to read. You also might want to check whether the form was submitted with GET or POST.
- Redirect after success to eliminate resubmissions.
- Remove closing ?> as it is not needed
After that, a bunch of little things. Here are a few:
- Move the database code into a separate file with its own class with connect(), find() and insert() methods. Then if someone wanted to use a different database adapter they could easily.
- Separate the display stuff from the actual login code. Maybe put the login code in a class to namespace it.
- Style your login form with CSS classes to make it easier to customize. Wrap fields in <div> to improve customzation. Maybe put messages in variables to make it easy to customize.
- Clean up your if() logic to make it easier to read. You also might want to check whether the form was submitted with GET or POST.
- Redirect after success to eliminate resubmissions.
- Remove closing ?> as it is not needed
(#10850)
-
spencerdemo
- Forum Newbie
- Posts: 3
- Joined: Thu Dec 25, 2014 4:56 pm
Re: PHP Register/Login
I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!
Re: PHP Register/Login
That's my favorite, love that idea. I've only done that once, for a password storage/management tool.Christopher wrote:I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.
Re: PHP Register/Login
md5 is entirely inadequate for storing password hashes. Use bcrypt.spencerdemo wrote:I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: PHP Register/Login
Agreed. Even SHA1 is not enough these days.
https://www.google.com/?q=javascript%20 ... ipt+bcrypt
The code is still not very clean or customizable. Switching to Mysqli is better, but still does not abstract the DB so it can be replaced easily. And use the PHP filter functions instead of rolling your own email check.
https://www.google.com/?q=javascript%20 ... ipt+bcrypt
The code is still not very clean or customizable. Switching to Mysqli is better, but still does not abstract the DB so it can be replaced easily. And use the PHP filter functions instead of rolling your own email check.
(#10850)