PHP User Registration/Login/Profile Script

@TechnologxJan 18.2015

I’m looking for a script that users can signup for my site and have a profile that they can edit like be able to add about me to there profile. Also where they can have contact me links with avatar and I want a place for them to have what they are selling on my site I mean for them to add this there selves. I’m not to great with PHP I know bits and pieces that’s only because I learned it from Google. This is the site I want to use this script on dreamboardstore.tk hope this isn’t to much to ask?

to post a comment

PHP

21 Comments(s) _↴

@collenweslingJan 23.2015 — #Refer to this: http://slunked.com/user-registration-and-login-system/all/1

@gjerichJan 23.2015 — #I create one..

You can downlaod at: https://sourceforge.net/projects/ploginregister/files/latest/download

demo: http://machinhead.dyndns.ws/project/login/

wiki: https://sourceforge.net/p/ploginregister/wiki/login%20and%20register%20script/

?

@anti-clockwizeJan 26.2015 — #that login script at slunked.com is not safe!! it only uses 2 salts, you want to have a 128byte randomly generated salt for each user/pass, so no two salts will be the same.

Also it doesn't use secure sessions.

Also it uses MD5 and SHA1 instead of SHA256 or SHA512, MD5 and SHA1 are proven to have collisions and easily crackable, and there are so many dictionary tables for download to do brute force cracking.

There is no tabel to record failed login attempts, so people can easily brute force it, as they will never get banned from trying after 1000000 tries.

also passwords are not hashed from the login and registration forms, so they can be grabbed raw there aswell, and urls are not sanitized.

there is virtually no protection in this script to any sort of attack... very insecure. Even if the data you are storing is not important, you have to consider that a user might use the same password for this site as they do for their bank account. so if they create an account using this script, someone can hack this site, get their password, and then go log into the back account and steal their money. The user has no idea the site has a weak login script, and will never see it coming!

@anti-clockwizeJan 26.2015 — #gjerich, u made a nice scirpt there.

trying to understand it, do all your $sql statements get strung together and then run through the query function which prepares them? Is pdo as secure or more secure than mysqli?

eg: [COLOR="#008000"] $sql = "SELECT id FROM users WHERE username = ? LIMIT 1";

$stmt = $mysqli->prepare($sql);

if ($stmt) {

$stmt->bind_param('s', $email);

$stmt->execute();

$stmt->store_result();

$stmt->close();

<<where $mysqli is the connect statement and $email is the email sent from a form or something>>

[/COLOR]

would that be just as secure as the pdo function you are using?

I saw the token generator function on the form submit, is that for XSRF/CSRF protection? Does that token match up with the session token/id to prevent xsrf attacks?

It seems like the password data from the registration form and login form is submitted raw to itself for processing (salting, hashing etc.)

Do you think it would be worth putting a javascript function that hashes the data in the form before submitting, or does the XSRF token do a better job than SHA512 hash has could do in protecting attacks and stolen data?

At the top of each php page it looks like a new session id/token is generated, that's pretty cool, does this go into a database at all?

I'm a bit tired, so I can't look into the code much (my eyes are closing) but if you could explain how you are managing the Session/Secure Session, I'd appreciate that, as it's something I am currently interested in.

@gjerichJan 26.2015 — #thx anti-clockwize;
[LIST]

[*] using PDO is more secure and friendier for/to use. becuase u can use a lot predifainded Data Objects.

[*] token is for CSRF protection yes and yes token match with session/token_name[/QUOTE]. configured in core/init.php and it is unique ech time you refresh/visit the page.. (salted with md5 & uniqid ? ). try:
[code=php]echo uniqid();[/code]

[*] i think there is no need for generate token(s) with SHA512. because it is salted twice as mentioned.

[*] user session is stored (hashed) in db and as cookie (match). only if user want to be remembered in login site.

[/LIST]
ps: for password salt read: mcrypt-create-iv. if you create 1000000 users with same passwords i guarante all passwords in db will be different.

hope will help. i think it is pretty secure.

@anti-clockwizeJan 27.2015 — #Yeah ive looked into mcrypt-create-iv, it does generate some very random strings with some very random characters based on the three optional modifiers. mcrpt_rand, _devran, _urand from memory?

Mysqli ALSO uses predefined data objects, and can use quite a lot.

I think at the end of the day, your login script IS NOT secure, it might be *pretty* secure, but that is NOT good enough on the internet today.

Anyone that is making a website with secure login that expects their website to have any decent sized user base should be using an ESTABLISHED security package. (Like Zend2, CakePHP etc etc).

These packages have TEAMS of security experts working on them and updating them to combat all sorts of different attacks. You may think your script is secure, but it only takes one person to crack it and your whole database could be compromised and all your users at risk.

If you are the sort of person who is willing to gamble on the security of *all* your users by using a "secure" login script made by an individual strange over the internet, you should not be making secure websites, as you don't understand security.

I'm sure you've done a course at school or something, and have learnt a lot about internet security, and your script might be quite robost, but at the end of the day, it's not going to be as robost as one of the ESTABLISHED SECURITY PACKAGES.

@Technologx : basically, if you're going to have a website where a couple of your mates login and post pictures, use any of the two scripts above, but if you plan on making a website that could grow to have 10's, 100's, 1000's or millions of users, YOU MUST uses an established security package, as even gjerich could have purposefully placed security holes in his code that he can exploit, and then spread it around to people to base websites off that he can later grab all the data, and sell it or use it maliciously.

When it comes to security, you can only trust the established companies/products.

@anti-clockwizeJan 27.2015 — #gjerich:

did a bit more of a look into pdo vs mysqli - seems mysqli is more powerful, both have equal security, but pdo is a nicer structure and will be easier to write secure code in the end.

the more i look through your code the more i like it actually.

I think i will change all my script from mysqli to pdo in the application i am writing at the moment.

Hadn't really looked through PDO code, only mysqli, but i'm finding that pdo is much easier to comprehend after only a few minutes compared to mysqli ?

I do really like the way you structured it, and yes it does seem you have covered a lot of bases of security, and maybe your script would not be such a bad one to use to implement into an existing site template without having to mess around too much (like with prepackaged frameworks.)

I have just one suggestion, would you consider updating to password_hash function (with password_default - currently using bcrypt) and do away with salts and needing to store them sepearately?

@gjerichJan 27.2015 — #ok, i will not argue with you.

script was made in my free time and i write it on my own. i didn't say say it is bullet proof in all points of view...

but can be a good start point.

ps: i don't know what are you creating => how many users do you expect(?)..

you are free to modifiy script. if you think it is not secure enough. simple don't use it.

good luck

@TechnologxauthorJan 27.2015 — #Well I ain't complaining as long as it works I'm ok with it. So how easy @gjerich would it be to style the login and registration forms?

@KesharLimbuJan 28.2015 — #This is quite a big job. You will have to use a combination of client side programming and serverside programming along with a database programming. If you want all of this things done in a script then you could use free mvc frameworks such as Wordpress and use the plugins provided by different users in these kind of free mvc framework.

@gjerichJan 28.2015 — #Well I ain't complaining as long as it works I'm ok with it. So how easy @gjerich would it be to style the login and registration forms?[/QUOTE]
how would you like to style it? css,js.. it should be simple. script is made/written in a raw text way (pure php).. so no stayle at all.

@TechnologxauthorJan 28.2015 — #css I've done it with this https://github.com/sctigercat1/Cydia-UDID-Protected-Repo-PHP

@gjerichJan 29.2015 — #css I've done it with this https://github.com/sctigercat1/Cydia-UDID-Protected-Repo-PHP[/QUOTE]
ok, i'm not familiar with it. should be simple, adding some css ti existing code..

@IFlowApr 27.2015 — #gjerich i have error in your code : "Parse error: parse error, expecting `')'' in C:xampphtdocslogincoreinit.php on line 8"

@gjerichApr 27.2015 — #line 8 is spl_autoload_register function - which is written correctly. i have no clue. which php version do you use? code was written in 5.5. i am running code on may Apache/2.4.12 and PHP 5.6.7. demo.

ps: line 8 shoud look like:

[code=php]
 spl_autoload_register(function($class){
 require_once 'classes/'.$class.'.php';
 });
 [/code]

or less readable

[code=php]
 spl_autoload_register(function($class){require_once 'classes/'.$class.'.php';});
 [/code]

@gjerichApr 27.2015 — #you need php 5.3 or higher. http://php.net/manual/en/function.spl-autoload-register.php

@gjerichApr 27.2015 — #off course there are other ways too..
[LIST=1]

[*]you can load 10 classes manual with require_once

[*]create foreach loop to load them all

[*]or write new class or function to do that

[/LIST]
if you need help i can give you solution in a week, because i have hard time at work right now.

@gjerichApr 27.2015 — #foreach loop:

[code=php]
 $dir='./classes/';
 $files=scandir($dir);
 foreach($files as &$class){
 if($class != '.' && $class != '..' && !is_dir($class)){
 require_once $dir.$class;
 }
 }
 [/code]

@gjerichApr 27.2015 — #try that it work for me ?

ps: class files and class names are always capitalized ! there can be a problem on your server with $dir path. and if you do not attempt to have subdirectories in /calasses/, than you can remove this from code above

[code=php]
  && !is_dir($class)
 [/code]

and code will look like:

[code=php]
 $dir='./classes/';
 $files=scandir($dir);
 foreach($files as &$class){
 if($class != '.' && $class != '..'){
 require_once $dir.$class;
 }
 }
 [/code]

@jeanFXDec 15.2016 — #I must say using pdo would be safe bet. Atleast you have to escape form data and use mysqli and prepared statement to run queries. Here is a resource i found on user login/logout & signup in php and mysql. It's pretty easy to follow http://www.kodingmadesimple.com/2016/01/php-login-and-registration-script-with-mysql-example.html

@kingperrySep 01.2019 — #thanks for very much for sharing this great experience I am glad to be part of this community

works ou for me on my two blogs

[url=https://legitloaded.com//]legitloaded.com[/url]

[url=https://asirimp3.com//]asirimp3,com![/url]

Also in #PHP _↴

style in php code Facebook Meta Tag - og:description for database value with strip_tags() and substr()Looping through table structure

Success!

Help @Technologx spread the word by sharing this article on Twitter...

Tweet This

PHP User Registration/Login/Profile Script

21 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

PHP User Registration/Login/Profile Script

21 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

21 Comments(s) _↴

Also in #PHP _↴