Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Jonathan Söder
Jonathan Söder
7,428 Points

Basic login system with PHP and PDO. Thoughts?

Hi there!
I'm currently building my own login system with PHP and PDO. Does it look okay or have I missed something crucial in terms of basic security?

Login.php
Here is the basic login form where the admin/s log in to get to the admin area.
It sets the $_POST with user input in form of username and password.
Right now, when user submits the login it sends them to auth.php

auth.php
Here I have a require that points to db.php (contains connection to db) that sits in a folder outside of root alongside an ini file with database credentials.

First I check if user has sent any input using empty().
If not I echo out a simple "user/pass empty"
Otherwise I prepare a statement that looks for the supplied username and fetch all the data from that database row.

$stmt = $connect->prepare("SELECT ID, username, password FROM auth WHERE username = :username");  
stmt->bindParam(":username", $_POST['username']);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);

Then I authenticate the user

if(count($result) > 0 && password_verify($_POST['password'], $result['password'])){
    //Create session    
    //Redirect to admin panel
}else{
    echo "Wrong username or password";
}

Extra security against bruteforce will be added later. I read about skipping the usual captcha and instead use regular questions like "what's the 2nd paragraph in <link>to text<link> instead.

db.php
In this file (which is located outside of root, in a private folder), I use parse_ini_file('something.ini') to get the db credentials which i then use to connect with a simple try catch:

try {
        $connect = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
        }catch(PDOException $e){
            echo "Something is wrong with the connection";
            die();
        }

randomName.ini
Here I set the servername, username, password and dbname. This file is located in the same folder as db.php. Currently reading up on how to not store the config credentials in plain text.

1 Answer

Carlos Alberto Del Cueto Carrejo
Carlos Alberto Del Cueto Carrejo
13,817 Points

Seems good to me, you even prepared the query to avoid SQL injection, I would look for a way to create a hash and encrypt your password. That is a little more advanced but it is not difficult to do. Take a look at this link: http://php.net/manual/en/faq.passwords.php Also, you try using already built libraries such as TankAuth even tho, I am not sure if it only works on the CodeIgniter framework.