First serious PHP project - PHP Login system, some questions?

[dstick]

I am starting my first serious php project. I have been following tutorials, to get up to speed with mysql and php programming and decided that it is a good time to move forward.

My goal is an online database. For development purposes, I just chose a movie database.

 

I would like to go to the main page and display an option to login as a user. The users are basically persons who edit the database. So when the user logs in, they will be able to update a basic profile with some simple user info and they will be able to add, delete or update records from the database.

 

Working with mysql to add, delete or update records as a task, I have recently completed. Still rounding out how to do that, but I have a good grasp of this now. What I don't know, is how to fit a login system into the project.

 

For sure, I am using PHP procedural. I don't want to work with object oriented code for now. I also know by recommendation, that I want my user database to be a table in my database instead of a separate db.

So I am starting a very simple login system from scratch.

Does anyone have a recommendation on how I can start this. What pages should I create and how should I structure the code. This is my first project where I have to think of various angles corresponding to my web application. So, I'm new to having to solve different problems related. Not too overwhelming, but if you can keep it simple or step by step for me, it would really be helpful.

 

Any suggestions?

[justsomeguy]

In general, start with prepared statements when you're using the database.  It's the right way to do it, there's no reason to learn the wrong way and have to unlearn and relearn that stuff.  This is wrong:

 

$result = mysqli_query("SELECT * FROM users WHERE username='$username'");

Variables never go inside a query string.  Instead you prepare the statement first, then pass the data to it.

$stmt = mysqli_prepare("SELECT * FROM users WHERE username=?");
	mysqli_stmt_bind_param($stmt, 's', $username);
	mysqli_stmt_execute($stmt);

[justsomeguy]

That code is a little easier to read when it's object-oriented, but if you're using a tutorial that doesn't teach prepared statements then ignore it and find one that does.

 

As far as storing passwords in your database, PHP has several built-in functions that you can use to also do that the right way:

http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/

 

Other than that, just start at the beginning.  The first thing you need is a way to add users, so create a page to add a new user and save them in the database.  Later you can come back to that page and add permission checking so that only an administrator can add a new user, for example, but just start there and then do the login page where the users can log in, and just go from there.

[justsomeguy]

The forum decided that it wanted that to be a 2-part post for whatever reason.

[davej]

Review available Php security suggestions such as...

https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

[dstick]

Alright, taking notes - thank you.