Implement an Account System in PHP
» >
»
» View previous topic :: View next topic  
For my work, I manage a couple of WordPress websites. One of my current assignments is pretty hefty (IMO) - I've been asked to basically implement a user account system in PHP. There are probably web tutorials out there, but there seems to be a disturbingly low signal-to-noise ratio, and I'm sure there's a lot of ways of doing it. I'm having trouble finding quality material. I figured I would ask here.

What's the best way to set up a user account system using only PHP, Javascript, and HTML?
If you're limited to those systems then you'll need to look into a flat file user system where password and usernames are stored in files on the server rather than a database. But I strongly recommend using MySQL for the account credentials.

It's relatively easy to setup an account system on it's own but you'll likely find troubles when implementing it with WordPress. Depending on your client, they may be open to letting users register on their WordPress instance and you can use those accounts throughout the site.


There are two types of people in the world: those who can extrapolate data from incomplete data
Oh, sorry, I forgot to mention that MySQL is available as well. (After all, WordPress uses it.)
If you're working with PHP and MySQL, I'd say your approach should be something like this:

1) Figure out what you want to store about each user. Username, user id, password, email address, etc. Once you've figured it out, create your MySQL table.
2) Implement logging in and out. PHP sessions will be your friend here. You'll probably want a separate sessions table in your database.
3) Implement a registration system. This will require at least a registration form and perhaps a Captcha of some sort. The registration system will be responsible for inserting a new row into the users table, among other things.
4) Implement a way for users to change their profiles, which can probably be built as a modification of the registration page, with values pre-filled.
5) If desired, you could also build a public-facing member directory at this point, which would fill in information about a user into a page given their username or user id.

Hope this helps. Let me know if you need more details about each step.
I implemented a simple filesystem based user account system for my site which I'm pretty sure is bulletproof (provided none of your other scripts expose non-public parts of your filesystem...)

I'll dig it up and post relevant code here.

You can take care of the front end, though I could post my front end if you want it.

Also, in review, I realize that I don't check for parameter length on the PHP end. Oops. You may want to limit the username to 50 characters or something.

register.php

Code:
<?PHP
   include_once "functions.php";
   
   $name = cleanup( $_POST["name"] );
   $pass = $_POST["password"];
   $passr = $_POST["passwordr"];
   $email = $_POST["email"];
   if( $pass !== $passr ){
      die( "The passwords didn't match" );
   }
   if( file_exists( "../users/".$name ) ){
      die( "User with that name already exists" );
   }
   if( !filter_var($email, FILTER_VALIDATE_EMAIL)) {
      die( "That is an invalid E-Mail" );
   }
   $fp = fopen( "../users/".$name, "w");
   $time = get_time();
   fwrite( $fp,
   "name: ".$name."\n".
   "password: ".make_pass_hash( $name, $pass, $time )."\n".
   "email: ".$email."\n".
   "registered: ".$time."\n".
   "ip: ".$_SERVER['REMOTE_ADDR']."\n".
   "cancomment: true\n"
   );
   fclose($fp);
   echo "<p>Registration Successful</p>";
?>


login.php

Code:
<?PHP

   include_once "functions.php";
   if( count( $_POST ) == 0 ) die();
   
   $name = cleanup( $_POST["name"] );
   $pass = $_POST["password"];
   if( !file_exists( "../users/".$name ) ){
      die( "Error logging in" );
   }
   $file_handler = fopen( "../users/".$name , "r");
   $contents = fread($file_handler, filesize( "../users/".$name ));
   fclose($file_handler);
   $pass = $_POST["password"];
   
   $passhash = getf( $contents, "password" );
   
   $time = getf( $contents, "registered" );
   $newhash = make_pass_hash( $name, $pass, $time );
   
   if(  $newhash != $passhash ){
      die( "Error logging in" );
   }
   $showname = getf( $contents, "name" );
   $_SESSION["loggedin"] = true;
   $_SESSION["name"] = $name;
   $_SESSION["showname"] = $showname;
   $_SESSION["postmain"] = getf( $contents, "canpost" ) == "true";
   $_SESSION["postcomment"] = getf( $contents, "cancomment" ) == "true";
   $_SESSION["postmaindelete"] = getf( $contents, "canpostdelete" ) == "true";
   $_SESSION["postcommentdelete"] = getf( $contents, "cancommentdelete" ) == "true";
   
   
   
   echo "<p>login successful</p>";
?>


logout.php

Code:
<?php
   include_once "functions.php";
   if( get_index( $_SESSION, "loggedin" ) === true ){
      session_unset();
      session_destroy();
      echo "Logged out";
   }
   else
      echo "Error logging out";
?>
http://kaslai.com/
Can you show me what the cleanup() function does? I'm sure you already checked that it doesn't allow things like ../ paths, but I want to make sure. Smile
I was lazy and I just found a random sanitizing snippet online. From functions.php:

function cleanup($url) { //Credit to tom's answer on http://stackoverflow.com/questions/8775245/php-how-to-convert-string-to-alphanumeric-only-and-also-convert-spaces-to-das
http://kaslai.com/
Thanks, Kerm, that's a really straightforward way to put it. I'll do those things and post if I have trouble.
I would also recommend that you learn how to use PDO in the process to make for more secure database accesses.

Uhhh, you're already using WordPress? Just hook into their authentication mechanisms. Using your own user library is just a long road to security sadness.
If you wanne stay logged in with cookies add another column.
When you log in make a random string and store it in $randStr
store $randStr as a cookie
hash $randStr and store it in the table
also store your id as a cookie, and that way you can stayed logged in Smile
Omnimaga! Click here to give me an internet!
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Implement an Account System in PHP
»
» View previous topic :: View next topic  
Page 1 of 1
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement