For new developers (may it be PHP Developers or any other developer), it would not be suitable to directly build a strong login system as it may be considerably flawed. For such a task you can actually use an existing PHP library. Use built-in login technique if you are using PHP Framework.
Creating a secure login system
- There are several ways for hacking your database and Userbase. Also there are several possible SQL exploits (which are called SQL injections) which you need to consider into by doing appropriate input validations.
- It is certainly not a good idea of storing plain text password. Input validation is extremely a necessary part and it should be done at both front end as well back end. Adequate priority needs to be given to it.
- This is not something that is easily undertaken. Most security breaches where user databases are insecure and stolen either start with a weakness in the login system or how the user logins are stored. I recommend using a pre-build system such as Single Sign-On Server/Client Documentation.
- Here are few of the points to be considered while building a login and registration form in PHP:
- Validate the input: It is necessary to validate the input by making sure that the input values are thoroughly validated front as well as back end, before checking for the authentication of the input provided in the login form.
- Password as an input: Using some SHA function, take the password in the encrypted form.
- Database: You need to make your data base protected and secured that can only be accessed with a password.
- Storing the Password in the Database: while you are doing registration, make sure all the entries of the registration form are validated on front as well as back end process. It is not advisable to save password in simple text form, rather standard SHA function should be used for encrypting the password in order to avoid unauthorized access to somebodies account. Anybody can get to know about your login credentials if your password is in simple text form and can be extracted through SQL Injection.
- Sessions for different users: One must be careful about the later part of a login procedure. A separate session must be started for that particular user once the user is authorized.
If you are using PHP framework, use built-in login technique. There are several ways for hacking a server or a site, so never give your password in the form of simple text; else the SQL exploits with the help of SQL injection will ruin your security. You need to make your data base protected and secured that can only be accessed with a password.