digg

Facebook Connect Join Digg About

Creating a Membership System with PHP and MySQL

phpfreaks.com Nice tutorial on using PHP and MySQL to create a user based login system for your website.

Who dugg this? Made popular Jun 22, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

63 Comments

show profanity settings
expand all
  • neoform, on 10/12/2007, -0/+23No kidding, i slapped my forehead the second i saw this:

    $first_name = stripslashes($first_name);
    $last_name = stripslashes($last_name);
    $email_address = stripslashes($email_address);
    $username = stripslashes($username);
    $info = stripslashes($info);

    [...]

    $sql_email_check = mysql_query("SELECT email_address FROM users
    WHERE email_address='$email_address'");
    $sql_username_check = mysql_query("SELECT username FROM users
    WHERE username='$username'");

    for whatever reason he actually STRIPS the slashes out of the fields when he should actually be ADDING slashes..
    he purposefully opens himself up to SQL injection when he was probably already protected by magic_quotes.. what a dumbass.
  • dude3609, on 10/12/2007, -0/+12I like this php login tutorial(i didnt make it btw),
    http://evolt.org/PHP-Login-System-with-Admin-Features
    because of the admin features that come with it too. You can also download a pre-made version of it(at the bottom of the page) put together in a zip file if you want. So you dont have to spend a long time putting it together yourself.
  • psyon, on 10/12/2007, -0/+9Maybe the autor wants inexperienced programmers to use these insecure methods so that he/she can later setup a bot net?
  • Kethinov, on 10/12/2007, -1/+9Whoever is digging me down for saying Yahoo is PHP driven should probably read this: http://public.yahoo.com/~radwin/talks/yahoo-phpcon2002.htm
  • onebigword, on 10/12/2007, -1/+8Very good write-up if you are new to this stuff.
  • llbbl, on 10/12/2007, -0/+6I used that one before on a project. It was easy to customize for my own uses.
  • Kethinov, on 10/12/2007, -3/+9And Yahoo! is PHP driven.
  • yongfookathome, on 10/12/2007, -1/+6care to explain why? I believe the very site you are using is based on PHP and MySQL...
  • llbbl, on 10/12/2007, -0/+5vote this tutorial down since it is insecure. people should always double check the code they borrow to make sure it is secure.

    click here to vote on the article.
    http://www.phpfreaks.com/tutorials.php?cmd=rate&tutorial_id=40
  • merreborn, on 10/12/2007, -1/+6Flaws:

    Page 2:
    Given code later on, email and username should be unique keys.
    Page 4:
    Stripslashes: he's obviously using magic_quotes. Ew. Even worse, he doesn't *re-escape* these strings before shoving 'em in queries. ***** dumbass. SQL injection, here we come!
    Uses htmlspecialchars() to escape a field being put into the database. Wrong function. Use mysql_escape_string()
    Passwords are MD5 hashed, but not salted -- rainbow tables, here we come! The improper use of the term 'salt' in his two-bit 'randomPassword()' function is humorous, in light of this flaw.
    Page 8:
    He redefines randomPassword() with the exact same code. Come on, man. Ever heard of include()?

    Having spent 5 minutes scanning his code, it'd be trivial to control any user's account, thanks to the blatant SQL injection holes. The other flaws just prove he's totally incompetent as a programmer. This is the sort of ***** that makes people think all PHP code is crap.

    Thanks for nothing, "phpfreak"
  • cypresso, on 10/12/2007, -1/+5Doesn't account for XSS or SQL injection, but i really don't think those would be a porblem with this
  • dude3609, on 10/12/2007, -0/+4digg, yahoo, amazon(and trust me, i can go on).. all use php.. Care to hear more or are you finished bitching? I wouldn't call it for script kiddies, even though its not incredibly difficult, It does serve as a great help for creating web based applications.
  • Kethinov, on 10/12/2007, -1/+5I know for some strange reason it's fun to be elitist and condescending pretending everyone should intimately familiar with esoteric knowledge, but if you could take the time to explain to the rest of us not up there on that high horse what is laughable about that, your criticism of the tutorial might be a bit more effective.

    I didn't write the thing, but I also don't see anything wrong with a password field set to varchar 255, other than the fact that a 255 character string representing a password (even factoring in encryption) is somewhat excessive.
  • david76, on 10/12/2007, -1/+4PHP and mySQL might not be preferred for enterprise capable software, but it's good for a lot of web-based development. I personally prefer C# and ASP.NET, but that's just personal preference.
  • artnez, on 10/12/2007, -0/+3MD5 is old and outdated, better to use SHA1 (comes standard with PHP nowadays).

    What the poster was make light of was the fact that an MD5 has is *always* 32 characters long. There is no reason to make a 255 character field. MySQL frees up memory for a field of 255 characters. Seeing as the user table is one of the most used in a user driven database, it should be optimized in full.

    It's also laughable because the article writer isn't very smart. People like him cause GOOD developers of web software to be looked down upon by C/C++/Java/etc gurus. Any idiot can memorize how to write a function, define a variable or setup a fairly organized OOP project... very few have the persiverence to actually LEARN why you need to do certain things (for example, WHY do you need to set the amount of available chars in a VARCHAR). If they undersatnd those concepts they will understand how ridiculous this article looks.

    Also, it was written in 2002 ... kind of late?
  • neoform, on 10/12/2007, -3/+6Google uses MySQL just so you know..
  • Kethinov, on 10/12/2007, -0/+3See? Now that's a valid criticism. Polite and to the point.
  • verifex, on 10/12/2007, -1/+4The tutorial is hard to read, it is seperated into 10 pages, each with 2 or 3 paragraphs per page, and each page is HEAVILY ad-saturated. Give me a break! I don't care HOW good that tutorial is it's painful to read. Put that stuff up on Wikipedia if you want to learn MySQL and PHP.
  • catoutfit, on 10/12/2007, -1/+4email_address varchar(25)


    not long enough at all either, my personal address is far longer and I know a few others that do too :)
  • mojo, on 10/12/2007, -0/+3Date: 11/23/2002 - not the most up to date PHP article.
  • david76, on 10/12/2007, -0/+3This article is great. I especially appreciate the irony of encrypting a random password in the database for the user, and then sending that password to the user via e-mail.
  • Bogtha, on 10/12/2007, -0/+2The password isn't encrypted, it's hashed, and the purpose isn't to avoid HTTP sniffing, it's to avoid disclosing passwords when somebody manages to read your database through one of the SQL injection holes this code contains.

    Disclosure of passwords might seem unimportant when you consider one website in isolation, but you have to remember that a *lot* of people use the same password for multiple websites.

    So grab their email address and password from the database, and compromise their email account. Then read their email to find all the confirmation emails they get when they sign up to other websites, and compromise their accounts there too. Before you know it, you've got masses of login details.
  • NoMoreNicksLeft, on 10/12/2007, -0/+2@kethinov

    Hashes are fixed length, no matter tha length of the password. If you want to use the entire text of War and Peace as your password, the resulting hash (depending on the flavor) will still be a fixed length of say, 16 bytes or so. He might opt to store it in hex, for a varchar(32) (something I don't object to, it makes it easier to debug, and no one's going to make a realistic case for saving 16 bytes times 500 users, or even 10,000). Or he might even choose something overkill, SHA512 for instance, and make it varchar(128) as hex. There are no doubt other hashes of varying sizes.

    But choosing varchar(255) shows you know nothing at all. The password hash might be one of the few fields that you can even be sure of setting it a specific size... I mean, was 32 characters to restricting for usernames? Should you have made it 48? Will they have some bizarre state gov email address that just won't fit?

    If your data will only *ever* be a specific size, without any exception, then you use only that much. And by god, if you don't know enough about encryption, that you aren't even aware that hashes have some very specific sizes, maybe you shouldn't be writing apps that take advantage of them.
  • dharm, on 10/12/2007, -0/+2if mysql works great for you, then you definately wouldn't need the others. If you were using something like oracle and switched to mysql... you obviously didnt need the abilities of oracle in the first place

    this has been argued numerous times the differences/purposes/strengths of each db...
  • cramd, on 10/12/2007, -1/+3MySQL now has many enterprise customers, using it in place of Oracle and MSSQL. Since V5.0 has been out it is become a real alternative to the costly others. Take a look at http://www.mysql.com/customers/:
    Yahoo!
    Feedburner
    Ticketmaster
    Los Alamos National Laboratory
    Sabre Holdings
    Cisco Systems
    looks like a good start!
  • neoform, on 10/12/2007, -0/+2@Kethinov

    It's not elitest to correct someone who's taken it upon themselves to teach others.. if he's teaching newbies stuff that's wasteful or even wrong, he should be told..
  • inactive, on 10/12/2007, -0/+1That's the first proactive idea I've seen in the comments. Maybe the stats from this front page Digg will encourage a followup.
  • inkswamp, on 10/12/2007, -0/+1Nice article, but the so-called print-friendly version of it is seriously effed up.
  • yongfookathome, on 10/12/2007, -4/+5a dated tutorial. good for the basics, but in this day and age we should be digging tutorials like this that verify the validity of the form via AJAX. One of the things I find frustrating about registration forms is when web developers make them like this - I have to submit, then get feedback on what I've done wrong (username taken, email invalid etc) after a page refresh. Form validity feedback should be an asynchronous action (like onkeyup) - not something I have to physically say "ok, lets send this off and see if I've got things right this time!".

    Granted, it's not actually that big a deal to implement some AJAX functionality in a form like this, but if we frontpaged tutorials that already TOLD you how to do it, we might see a few less frustrating forms on the web...
  • MalDON, on 10/12/2007, -0/+1Wow, took three years to hit digg. I read this tut like way back when I started php. I'm ashamed that digg is resorting to old tutorials. Now, what would be good if someone posted a tutorial for an oop based user login system with full anti-hacking checks ect.
  • Kethinov, on 10/12/2007, -0/+1neoform, there's nothing corrective in his post. The criticism is the exact opposite of constructive. If there's something wrong with the tutorial, I agree with you that the author should correct it, but I have no idea what the criticism in question even is. All I see is a condescending attitude.
  • MrDiaz, on 10/12/2007, -1/+2yes it is a nice tutorial indeed, however "Date: 11/23/2002"

    Conclusion: If i were you I just take the basics of this membership system and then from there move on to more updated content.
  • Kethinov, on 10/12/2007, -0/+1Thanks for the clarification, NoMoreNicksLeft. I don't see that as particularly laughable, but it's certainly not optimized. Personally, I always make password fields varchar 32 because I md5 everything.
  • xMikey, on 10/12/2007, -0/+1I like this membership system better, it has a lot more features.
    http://techtuts.com/?view=tutorials&act=cat&id=11 (Scroll down to bottom for membership system base)
  • slythfox, on 10/12/2007, -0/+1Unless I haven't been keeping up to date with my PHP/MySQL foo, but int() can only be up to a value of 10 digits (so int(11)). What's userid int(25) all about?!
  • clueless, on 10/12/2007, -1/+2just click on the print link and you'll get the whole thing without any ad.
  • netade, on 12/19/2008, -0/+1Save your time and get a script. The faster you get to market the better. Here's what I use: http://www.onlinetrainingsoftware.org
  • david76, on 10/12/2007, -0/+0@alex007
    Agreed, but unffortunately you have to build your own adapters to use it via web services. Thankfully people have already done this. BTW, does PHP have built-in web service support?
  • huhnteufel, on 10/12/2007, -0/+0That's a gold mine of tutorials. Thanks! :)
  • MannaPC, on 10/12/2007, -1/+1Hey guys,

    I got a couple of probs with this. One them is that this is an old tutorial. Plus, the tutorial doesn't teach one how to make the best membership script. While it is okay, it lacks quite a bit. A few of the things include optimizations, security and implementation.

    It might be okay for newcomers like the first commenter posted.

    Have a good one,
    Christopher
  • jouva, on 10/12/2007, -0/+0Username validation can be a GOOD thing and a BAD thing in Ajax.

    It's good for when the user doesn't have to go back to the page and change their username after they entered nearly everything.

    It's BAD in that somebody can abuse the page or possibly the underlying Ajax backend to query for existing user names. This can expose account names easily to bots to try and get passwords for, or possibly easily expose anonymous users. Same thing could be said about a "Check if my name is available" form though.

    However, USUALLY this is not something to worry about.
  • Kethinov, on 10/12/2007, -1/+1edit: ugh, digg needs a better threading system to prevent people from accidentally starting new threads in comments meant to be replies.
  • NoMoreNicksLeft, on 10/12/2007, -3/+3password varchar(255)

    Uh, yeh. I mean, I didn't expect anything grand, but this is just laughable. I read it in the hopes of being able to rip on them about still using MD5, but I expected nothing quite this boneheaded.

    *shakes head in utter disbelief*
  • megaversal, on 10/12/2007, -0/+0Maybe it's just me, but instead of all the "this tutorial isn't that great" comments, does anyone knows of a good tutorial? One that does take into account XSS, etc and explain how they are protecting against it. It seems to me that kind of tutorial would be really, really useful, especially so we don't have another generation of web programmers creating these very insecure sites.
  • ahdustin, on 10/12/2007, -2/+2This was a great tutorial a year and a half ago. But nonetheless, still really good.
  • zzz@tkz, on 10/12/2007, -1/+1I just finished a membership system on my site. Infact, it's complete with a whole WMS, all done by me. Go me.

    No easy task, unless you have a C+P thing like this :P.
  • JayBachatero, on 10/12/2007, -1/+1Nice tutorial. Opens a whole mess of holes and security issues. I wonder if phpfreaks.com checks their tutorials before submitting them. Also how old is this? No Digg.
  • maseone, on 10/12/2007, -1/+1there we go, that one should be a bit better

    i didn't have a chance to go through all of it, but just looking at the first page, the advanced features it covers gives me some indication that the basics should be presented properly as well.

    i've seen other quality tutorials on evolt.org as well.
  • chesterjosiah, on 10/12/2007, -1/+1I needed this about a month ago, but since I didn't have it, I wrote my own from scratch. Regardless, this is AWESOME. I haven't read the whole thing yet, but I know the section on PHP Sessions will be useful. DUGG
  • phpfreak, on 10/12/2007, -0/+0I know this comment will get dugg down, but I don't see why everyone loves AJAX so much... cross-browser compatibility is a big issue and you could just as easily use a header() function with GET data attached to validate forms and add comments.
  • Fetching more discussions...
    Show 51 - 63 of 63 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.