patternphpMinor
PDO Login/Register system review
Viewed 0 times
systemloginregisterreviewpdo
Problem
I wrote my very first login/register PDO system today. I know there is still a lot of flaws, but I was wondering what tips and advice you have to help me improve this. I know that PDO is much more secure than MySQl, so would you say my code is secure? If so, to what extent, since I'm using PDO? Any tips and advice would be much appreciated!
login.php
register.php
index.php
core/connect.php
login.php
Login
prepare("SELECT username, password FROM users WHERE username=:username AND password=:password");
$query->bindParam(':username', $_POST['username']);
$query->bindParam(':password', $_POST['password']);
$query->execute();
if($row = $query->fetch()){
$_SESSION['username'] = $row['username'];
header("Location: index.php");
}
}
?>register.php
Register
prepare("INSERT INTO users (username, password) VALUES (:username, :password)");
$query->bindParam(':username', $_POST['username']);
$query->bindParam(':password', $_POST['password']);
if($query->execute()){
header("Location: index.php");
} else{
echo 'ERROR';
}
}
?>index.php
Logout';
} else {
echo 'Login
Register';
}
?>core/connect.php
setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $conn;
} catch(PDOException $e){
echo 'ERROR', $e->getMessage();
}
}
?>Solution
Here are several tips:
Feel free to check my code for user authorization here in my pet project.
- Use OOP - this way you could start the session only once
- Hash your passwords - this way no one can steal it from the db, or at least the chance is lower
- Use MVC - separate your HTML from the PHP code
- Move your db connect credentials to the .ini file - this way it could be easily changed and .ini files can be cached by the server
Feel free to check my code for user authorization here in my pet project.
Context
StackExchange Code Review Q#38202, answer score: 4
Revisions (0)
No revisions yet.