PHP Register/Login

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
spencerdemo
Forum Newbie
Posts: 3
Joined: Thu Dec 25, 2014 4:56 pm

PHP Register/Login

Post by spencerdemo »

Hey guys so I spent some time creating a Register/Login script, and I want you guys to come check it out! Its probably one of the easiest register login script you'll use, its clean coding and easy to adjust to your website. All you have to do is insert that .sql into your database and edit the database configurations, and its all in 1 file!. I made a small simple website for you guys to download it, if you guys turn out to enjoy it I am looking forward to extending it. Please give me feedback on what you think of the script and some ideas of how to improve it, thanks!

Here is the website to download it:
http://codingshare.site88.net/
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: PHP Register/Login

Post by requinix »

The two most significant problems are
1. SQL injection in all your queries
2. Storing passwords in plaintext
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Register/Login

Post by Christopher »

Those two are probably the biggest. I would recommend not only saving hashed passwords; I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.

After that, a bunch of little things. Here are a few:

- Move the database code into a separate file with its own class with connect(), find() and insert() methods. Then if someone wanted to use a different database adapter they could easily.

- Separate the display stuff from the actual login code. Maybe put the login code in a class to namespace it.

- Style your login form with CSS classes to make it easier to customize. Wrap fields in <div> to improve customzation. Maybe put messages in variables to make it easy to customize.

- Clean up your if() logic to make it easier to read. You also might want to check whether the form was submitted with GET or POST.

- Redirect after success to eliminate resubmissions.

- Remove closing ?> as it is not needed
(#10850)
spencerdemo
Forum Newbie
Posts: 3
Joined: Thu Dec 25, 2014 4:56 pm

Re: PHP Register/Login

Post by spencerdemo »

I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: PHP Register/Login

Post by Benjamin »

Christopher wrote:I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.
That's my favorite, love that idea. I've only done that once, for a password storage/management tool.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: PHP Register/Login

Post by Celauran »

spencerdemo wrote:I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!
md5 is entirely inadequate for storing password hashes. Use bcrypt.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: PHP Register/Login

Post by Christopher »

Agreed. Even SHA1 is not enough these days.

https://www.google.com/?q=javascript%20 ... ipt+bcrypt

The code is still not very clean or customizable. Switching to Mysqli is better, but still does not abstract the DB so it can be replaced easily. And use the PHP filter functions instead of rolling your own email check.
(#10850)
Post Reply