Hello everyone,<\/p>\n
This is tutorial on making a simple PHP PDO login and registration system. We will be touching on PHP PDO, database design and security practices. It will be a bit different from the common tutorials out there as this will only cover certain core concepts and I will then give a final full example that will allow you to study from the code itself. This is because I find that having learnt core concepts and thereafter, learning from examples will make it easier for people to understand it better.<\/p>\n
So first off, here’s an introduction to PDO:<\/p>\n
PDO stands for PHP Data Objects, it is an interface for programmers to safely access databases in PHP. It is a better alternative to PHP MySQL, which is already deprecated, that has many new features such as statement preparation and object-oriented functions. This makes it quite different from PHP MySQL and PHP MySQLi.<\/p>\n
To start a database connection, you will need to call a new PDO object.<\/p>\n
try {<\/code><\/p>\n
$dbh = new PDO('mysql:host=localhost;dbname=some_database_name', 'admin_2', '123456'); \/\/establish it<\/code><\/p>\n
} catch (PDOException $e) {<\/code><\/p>\n
\/\/seems like that there was an error!<\/code>
\nprint_r(\"MySQL Error!: \" . $e->getMessage()); \/\/print the error output<\/code>
\nexit();<\/code><\/p>\n
}<\/code><\/p><\/blockquote>\nIf that work well for you, great, it confirms that you have PHP PDO!<\/p>\n
So next would be learning how to carry out a SELECT SQL statement.<\/p>\n
$stmt = $dbh->prepare(\"SELECT * FROM `userdata` where `username` = ? AND `password` = ?\");<\/code>
\n$username = 'lol';<\/code>
\n$password = 'verysecuredpassword';<\/code>
\n$stmt->execute(array($username, $password);<\/code><\/p><\/blockquote>\nExcellent! As you can see here, you prepare the SQL statement and when data needs to be specified, you will see this strange thing here –
where `username` = ? AND `password` = ?<\/code>. Very odd isn’t it? Its basically preparing this statement for the data to be called as you can see here –$stmt->execute(array($username, $password);<\/code>. So the 1st question mark will reference to$username<\/code> while the 2nd question mark will reference to$password<\/code>. This would mean that the code is literally being executed as\"SELECT * FROM `userdata` where `username` = \" . $username . \" AND `password` = \" . $password<\/code>.<\/p>\nSo far so good? Easy isn’t it? :)<\/p>\n
Database Structure<\/h2>\n
Now that we have covered the PDO part, let us move on to database structure planning.
\nTo have a login system, we will need at least 3 things: PRIMARY id<\/strong> KEY, username<\/strong> and password<\/strong>. The username will be used to create an identity for the user while the password is used by the user to authenticate to the specified user account.<\/p>\nSo we should have something like this:<\/p>\n
CREATE TABLE userdata (<\/code><\/p>\n
id int(10) unsigned NOT NULL AUTO_INCREMENT,<\/code>
\nusername varchar(64) NOT NULL,<\/code>
\npassword varchar(64) NOT NULL<\/code>
\nPRIMARY KEY (id)<\/code><\/p>\n
) ENGINE=InnoDB DEFAULT CHARSET=utf8;<\/code><\/p><\/blockquote>\nSecurity Practices<\/h2>\n
Now that we are done with the database design, let’s move on to some security practices that are worth taking note of.<\/p>\n
Data sensitive details such as password should never be stored in plaintext in the database. Therefore, we should always hash these details using the PHP
crypt()<\/code> function. So this is what should be done:<\/p>\n
$password = crypt($_REQUEST['password'], CRYPT_BLOWFISH);<\/code><\/p><\/blockquote>\nSome people will try to attempt to insert script using HTML characters, we need to filter this off as well.<\/p>\n
$username = htmlspecialchars($_REQUEST['username'], ENT_QUOTES, \"UTF-8\");<\/code><\/p><\/blockquote>\nAlthough this HTML sanitisation is not required for passwords (since they are going to be encrypted anyway), we should just sanitise the password anyway.<\/p>\n
Next, we want to prevent identity hijacking in the event where people modify their cookies. So we need to create 2 cookies, one that contains the username and the other one contains a cookie hash. The cookie hash is used to verify the identity of the person and is unique upon every login. So even if a hijacker has modified their cookie to “GIANT_CRAB”, without the correct cookie hash, the system will reject him. This would also mean that we will need to modify our existing database design to include this new cookie hash.<\/p>\n
New database design:<\/p>\n
CREATE TABLE userdata (<\/code><\/p>\n
id int(10) unsigned NOT NULL AUTO_INCREMENT,<\/code>
\nusername varchar(64) NOT NULL,<\/code>
\npassword varchar(64) NOT NULL<\/code>
\ncookiehash varchar(64) DEFAULT NULL<\/code>
\nPRIMARY KEY (id)<\/code><\/p>\n
) ENGINE=InnoDB DEFAULT CHARSET=utf8;<\/code><\/p><\/blockquote>\nCookies that will be set:<\/p>\n
setcookie('username_cookie', \"GIANT_CRAB\", 0, \"\/\", \"\", false, true);<\/code>
\nsetcookie('login_cookie', \"abcd12345\", 0, \"\/\", \"\", false, true);<\/code><\/p><\/blockquote>\nIdentifying if a user is logged in, using both the username cookie and cookie hash:<\/p>\n
\/\/$dbh parameter should be the database connection that is started using \"$dbh = new PDO();\"<\/code>
\n\/\/$username parameter should be the username of the user<\/code>
\n\/\/$cookiehash paramter should be the cookie hash value<\/code>
\nfunction isLoggedIn($dbh, $username, $cookiehash) {<\/code><\/p>\n
$stmt = $dbh->prepare(\"SELECT * FROM `userdata` where `username` = ? AND `cookiehash` = ?\");<\/code>
\nif($stmt->execute(array($username, $cookiehash))) {<\/code><\/p>\n
if($stmt->rowCount()) { \/\/check if user exists and the cookiehash is correct<\/code><\/p>\n
return true;<\/code><\/p>\n
}<\/code><\/p>\n
} else {<\/code><\/p>\n
return false;<\/code><\/p>\n
}<\/code><\/p>\n
}<\/code>
\n\/\/so to check if a user is logged in, it is done like this<\/code>
\nif(isLoggedIn($dbh, $username, $cookiehash)) {<\/code><\/p>\n
\/\/user is logged in<\/code><\/p>\n
} else {<\/code><\/p>\n
\/\/user is not logged in or the cookie hash is incorrect<\/code><\/p>\n
}<\/code><\/p><\/blockquote>\nFinally, we want to prevent cross site request forgery (CSRF) attempts too. This means that we need to generate a cookie and also modify the login form in such a way that it will also submit the value of the cookie.<\/p>\n
PHP:<\/p>\n
$csrf_token = md5(mt_rand() . mt_rand()); \/\/we want it fast, security isn't a major issue here<\/code>
\nsetcookie(\"csrf_token\", $csrf_token, 0, \"\/\", \"\", $ssl, true);<\/code><\/p><\/blockquote>\nHTML:<\/p>\n
<form><\/code><\/p>\n
<div class=\"form-group\"><\/code><\/p>\n
<label for=\"loginUsername\">Username<\/label><\/code>
\n<input type=\"text\" class=\"form-control\" id=\"loginUsername\" placeholder=\"Enter username\"><\/code><\/p>\n
<\/div><\/code>
\n<div class=\"form-group\"><\/code><\/p>\n
<label for=\"loginPassword\">Password<\/label><\/code>
\n<input type=\"password\" class=\"form-control\" id=\"loginPassword\" placeholder=\"Password\"><\/code><\/p>\n
<\/div><\/code>
\n<input id=\"loginToken\" type=\"hidden\" value=\"<?php echo $csrf_token; ?>\"\/><\/code>
\n<button type=\"submit\" class=\"btn btn-primary\">Login<\/button><\/code><\/p>\n
<\/form><\/code><\/p><\/blockquote>\nConclusion<\/h2>\n
Congratulations! Now you have grabbed hold of the basic important concepts that are needed in handling a PHP login form. I have created a complete PHP PDO example that is available to download on Github, the URL will provided below.<\/p>\n
Github Example: https:\/\/github.com\/GIANTCRAB\/Simple-PHP-PDO-Login<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello everyone, This is tutorial on making a simple PHP PDO login and registration system. We will be touching on PHP PDO, database design and security practices. It will be a bit different from the common tutorials out there as this will only cover certain core concepts and I will then give a final full … Continue reading “Simple PHP PDO Login System Tutorial”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[5,29],"tags":[30],"class_list":["post-42","post","type-post","status-publish","format-standard","hentry","category-programming","category-tutorials","tag-php"],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/posts\/42"}],"collection":[{"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/comments?post=42"}],"version-history":[{"count":3,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/posts\/42\/revisions"}],"predecessor-version":[{"id":45,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/posts\/42\/revisions\/45"}],"wp:attachment":[{"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/media?parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/categories?post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/woohuiren.me\/blog\/wp-json\/wp\/v2\/tags?post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}