Jump to content
Sign in to follow this  
all_php_tricks

PHP User Registration And Login Script

Recommended Posts

I have been learning web development for many years, and i always wanted to make it simple as easy as possible, therefore i wrote a simple user registration and login script in PHP, https://www.allphptricks.com/simple-user-registration-login-script-in-php-and-mysqli/

I just want you guys to kindly have a look on it and if you have any further suggestions to improve it, i would love to hear it.

Thanks all for your time and suggestions.

Regards Javed Ur Rehman

Share this post


Link to post
Share on other sites

Where do you think this could be used?

Most CMS platforms already have a login system.

Share this post


Link to post
Share on other sites

My biggest gripe with this tutorial is the same as other tutorials that offer the same thing, they don't secure anything correctly.

Your comment here basically sums the issue up for me:

Quote

there are many security measures that you should take, purpose of this tutorial is to keep it simple so that everyone can understand how it works, this is not for production use, you will need to do more security checks to implement any user registration system.

How many people are actually going to know what measures to take? Very few, because beginners won't know what's required at this stage. You can also guarantee people will use this in production.

On top of that, you're only doing 1 pass MD5 for encryption, which is not secure enough. Look at Bcrypt instead of MD5 and consider adding a salt to the encrypted string.

<?php
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit(); }
?>

Don't use session verification because it can be spoofed, bypassing any password requirement.

<p>Welcome <?php echo $_SESSION['username']; ?>!</p>

No sanitised output.

---

The list goes on. I appreciate that you've taken the time to help others setting up a login, but tutorials that don't go into the proper requirements for this sort of thing often cause more harm than good. I would look at producing your tutorials security first, even if it means they have to be more in-depth and split into multiple parts.

Share this post


Link to post
Share on other sites

You can give proper validation to email. you can also provide .com validation.

if one email already uses for registration then it can't be used for the second time.

you can also set password character limit in between 6 to 8 
 

Share this post


Link to post
Share on other sites
On 10/3/2018 at 3:11 PM, gurutechnolab said:

you can also set password character limit in between 6 to 8

This is a really bad idea. If you do that then an attacker knows that passwords are between 6 and 8 characters long which helps them out greatly!

Share this post


Link to post
Share on other sites

It's also been demonstrated that having uppercase, lowercase, symbols and numbers makes no difference. It's the length of the password that matters.

a (now famous) explanation: https://xkcd.com/936/

Share this post


Link to post
Share on other sites
On 10/3/2018 at 3:11 PM, gurutechnolab said:

You can give proper validation to email. you can also provide .com validation.

if one email already uses for registration then it can't be used for the second time.

you can also set password character limit in between 6 to 8 
 

A length of 6 isn't secure, modern computers can brute force that length with little effort. Setting a limit also means that people can't use password managers, you will either lose users, or will be encouraging bad security.

Take a look at https://password.kaspersky.com, which gives you an indication of how long it would take to break.

Share this post


Link to post
Share on other sites
On 10/9/2018 at 1:47 PM, Jack said:

A length of 6 isn't secure, modern computers can brute force that length with little effort. Setting a limit also means that people can't use password managers, you will either lose users, or will be encouraging bad security.

Take a look at https://password.kaspersky.com, which gives you an indication of how long it would take to break.

Yea, you are right I didn't just get an idea about that set length of password it can be easily hacked.

Thanks for driving my attention to this concept.

Share this post


Link to post
Share on other sites
On 10/8/2018 at 6:48 PM, fisicx said:

It's also been demonstrated that having uppercase, lowercase, symbols and numbers makes no difference. It's the length of the password that matters.

a (now famous) explanation: https://xkcd.com/936/

I'm not sure 'no difference' is correct because adding symbols and numbers helps prevent against dictionary attacks, but I agree that longer is definitely better.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing

    No registered users viewing this page.

  • Member Statistics

    • Total Members
      59,132
    • Most Online
      4,970

    Newest Member
    hnybane87
    Joined
  • Forum Statistics

    • Total Topics
      65,989
    • Total Posts
      454,480
×