Have anyone reading the description of PHP user authentication system at Wikibooks? http://en.wikibooks.org/wiki/PHP%5FProgramming/User%5Flogin%5Fsystems
Is it good? Secure? Correct?
A:
There are toons of way to do a user authentication system, so it really depends on what you need. This one looks OK for simple authentification.
However, please note the following code they wrote:
$db = new Database(); // Database abstraction class.
$email_address = $db->esc($_POST['email']);
$password = $db->esc($_POST['password']);
What is important in this code is the Database abstraction class. It is not linked on the page, maybe somewhere else I do not know, but the most important part of this class is the call to $db->esc() that escapes and probably sanitize user input. It is very important that you never make any call to the database without sanitizing user input, to avoid SQL injections.
Usually, the "esc" equivalent would use addslashes. But do read the note, where they state that you should database specific escape functions depending on the database you're using (Like mysqli_real_escape_string for MySQL). Database abstraction class are really useful for that kind of stuff :).
naixn
2009-10-07 04:47:47
Yes, the authors make comment on this below that code: "The Database database abstraction class is used to hide database implementation details for the purpose of this example, and should not be taken to represent any actual, existing library class."
yueseff
2009-10-07 04:52:17
OK :). I didn't read everything. However my point stand, the most important part of their code is sanitizing user input by calling `$db->esc`, probably using addslashes. See my edited post for it :)
naixn
2009-10-07 04:55:52
Most good! And in other manners, the Wikibooks page is good do you think? I am using it, you see, for learning.
yueseff
2009-10-07 05:03:42
It is always a good thing to use experienced dev knowledge. These guys seems to know enough as to use database abstraction classes, so I'd say they what it needs to teach. Then, it depends on your background. But PHP is quite easy to learn, and you will also learn a lot by simply writing code and reading other codes. I learned PHP (and programation in general) mostly by myself, reading dociumentation and code :). To the conclusion: yes, I think the wikibook pages seems good enough for you to learn there, but you will have to improve by yourself after ;)
naixn
2009-10-07 05:50:15
A:
Google php user class and you'll get a decent login class as well.
Link: phpuserclass.com
I've used it on several occasions and it works fine.
Citizen
2009-10-07 14:18:06
A:
I think the wikibooks page is a reasonable, low-level (i.e. no libraries) description of a login system in PHP. There's lots missing, but what's there is complete. But then, I'm biased. ;-)
Sam
2009-11-02 03:52:06