PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Sep 26, 2017 6:11 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: PHP Register/Login
PostPosted: Fri Dec 26, 2014 1:00 am 
Offline
Forum Newbie

Joined: Thu Dec 25, 2014 5:56 pm
Posts: 3
Hey guys so I spent some time creating a Register/Login script, and I want you guys to come check it out! Its probably one of the easiest register login script you'll use, its clean coding and easy to adjust to your website. All you have to do is insert that .sql into your database and edit the database configurations, and its all in 1 file!. I made a small simple website for you guys to download it, if you guys turn out to enjoy it I am looking forward to extending it. Please give me feedback on what you think of the script and some ideas of how to improve it, thanks!

Here is the website to download it:
http://codingshare.site88.net/


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Fri Dec 26, 2014 2:00 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6556
Location: WA, USA
The two most significant problems are
1. SQL injection in all your queries
2. Storing passwords in plaintext


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Sat Dec 27, 2014 2:05 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13431
Location: New York, NY, US
Those two are probably the biggest. I would recommend not only saving hashed passwords; I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.

After that, a bunch of little things. Here are a few:

- Move the database code into a separate file with its own class with connect(), find() and insert() methods. Then if someone wanted to use a different database adapter they could easily.

- Separate the display stuff from the actual login code. Maybe put the login code in a class to namespace it.

- Style your login form with CSS classes to make it easier to customize. Wrap fields in <div> to improve customzation. Maybe put messages in variables to make it easy to customize.

- Clean up your if() logic to make it easier to read. You also might want to check whether the form was submitted with GET or POST.

- Redirect after success to eliminate resubmissions.

- Remove closing ?> as it is not needed

_________________
(#10850)


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Sun Dec 28, 2014 12:40 am 
Offline
Forum Newbie

Joined: Thu Dec 25, 2014 5:56 pm
Posts: 3
I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Sun Dec 28, 2014 11:25 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
Christopher wrote:
I would recommend having the browser has the password using Javascript and sending only the hashed form. Then compare that with the hash stored in the database to confirm the second credential.


That's my favorite, love that idea. I've only done that once, for a password storage/management tool.

_________________
Image


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Mon Dec 29, 2014 2:25 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6353
Location: Montreal, Canada
spencerdemo wrote:
I'v update the script, added md5 for the password, some validations to some things, and Password Reset form. Please go check it out!

md5 is entirely inadequate for storing password hashes. Use bcrypt.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
 Post subject: Re: PHP Register/Login
PostPosted: Mon Dec 29, 2014 4:11 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13431
Location: New York, NY, US
Agreed. Even SHA1 is not enough these days.

https://www.google.com/?q=javascript%20 ... ipt+bcrypt

The code is still not very clean or customizable. Switching to Mysqli is better, but still does not abstract the DB so it can be replaced easily. And use the PHP filter functions instead of rolling your own email check.

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group