Simple and efficient Login mechanism using PHP and database [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

Want to improve this question? Guide the asker to update the question so it focuses on a single, specific problem. Narrowing the question will help others answer the question concisely. You may edit the question if you feel you can improve it yourself. If edited, the question will be reviewed and might be reopened.

Closed 2 years ago.

Improve this question

I want to create a simple login system in my website I am developing for academic purpose.

This is what I did so far:

A user will have to fill out a form to input their username and password, and then submit the form (POST method). Both vars will be sanitized.

Query from database

SELECT id FROM user WHERE username = x AND
password = y

Where x and y are username and password acquired using

$_POST['variable_name']

Then I used PHP function rowCount(). If the result = 1 (and only one), then that user will be notified that the login process is successful and a user id session var will be set.

So, is this kind of login system simple and efficient enough? I don't need any additional security measure (like password hashing) right now.

Sanitizing vars instead of using parameterized queries went out of fashion over 10 years ago (ie not best practise). I see no reason to not add hashing, it's not hard at all using the password api built into php (password_hash and password_verify). Its most common to actually fetch the data of the user, you probably want to add the user id to ession so you know which user is logged in when handling later requests — JimL
– JimL, Commented Jul 13, 2016 at 4:36
@JimL do you mean parameterized queries using prepare() and execute() ? If so, yes I can use that. Ditto on password_hash and password_verify. — GPraz
– GPraz, Commented Jul 13, 2016 at 4:44
Yes, in effect replacing vars in the query string with ? or :parameterName — JimL
– JimL, Commented Jul 13, 2016 at 4:46
@JimL Okay. And of course user id will be added to session var. I'll update my question shortly. What about using both sanitized vars and parameterized queries? — GPraz
– GPraz, Commented Jul 13, 2016 at 4:51
counting the number of rows is useless, it is faster to just check that the fetched result is !== false. If the username is unique in the db, there can't be more than one. — the_nuts
– the_nuts, Commented Jul 13, 2016 at 5:01

the_nuts · Accepted Answer · 2016-07-13 05:15:48Z

1

This is how it should be done with more modern standards:

$db = new PDO('mysql:host='.$database_host.';dbname='.$database_name.';charset=utf8', $database_user, $database_password);

$stmt = $db->prepare("SELECT id FROM users WHERE username=? AND password=?");
$stmt->execute([$_POST['username'], $_POST['password']]);

$user = $stmt->fetch(); // Or fetchColumn() to get just the id

if($user) { 
    // Login
} else {
    // The user doesn't exist or the password is wrong
}

answered Jul 13, 2016 at 5:15

the_nuts

6,1443 gold badges44 silver badges75 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

GPraz Over a year ago

Should I create the PDO instance, prepare(), and execute() inside try catch just in case an error happened during connecting to database?

the_nuts Over a year ago

Yes, by adding the fourth parameter [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION] to the PDO constructor. You may also want to check if $_POST['username'] and password are set

art · Accepted Answer · 2016-07-13 04:54:40Z

0

Use PDO or mysqli for prevention of sql injection and fast data retrieval

here is the code

 <?php
    $avail=0;
    require 'connect.php';
    if(isset($_POST['Submit']))
    {        $Username=$_POST['Username'];
             $Password=$_POST['Password'];
             $query=$handler->query('Select * FROM users');     
             while($r=$query->fetch(PDO::FETCH_ASSOC)){
                $U=$r['Username'];
                $P=$r['Password'];
                if($U==$Username&&$P==$Password){
                    $avail=1;
                }
                }
                if($avail==1){
                     echo("<script>window.location = 'welcome.html';</script>");
                }
                if($avail==0){
                     echo("<script>alert('Wrong Username or Password')</script>");


                }

    }

?>

answered Jul 13, 2016 at 4:54

art

3284 gold badges12 silver badges34 bronze badges

6 Comments

GPraz Over a year ago

What about using if($query->rowCount() == 1) instead of if($U==$Username && $P==$Password)? Is it necessary to select all rows from user table and to use while loop?

the_nuts Over a year ago

There is no injection prevention in this "code"... it's bad written and the logic is totally wrong... (cycling all the users?!?)... and it also depends on custom function in connect.php, which we can't see...

art Over a year ago

i guess connect.php will be specific to every user what my main focus was to use pdo

the_nuts Over a year ago

ah ok, so $handler is a PDO instance... Anyway, if you have 10 users for example, this scripts will print 9 alerts and one redirect if the user found is the last one. It doesn't seem a very good solution :)

art Over a year ago

i guess you missed avail variable which i am using here

|

Collectives™ on Stack Overflow

Simple and efficient Login mechanism using PHP and database [closed]

2 Answers 2

2 Comments

6 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

2 Comments

6 Comments

Linked

Related