MYSQLI Login & Register Pages

Status
Not open for further replies.

Deezi

I have a custom title
Nov 14, 2016
50
12
So I've been working on PHP for about 2months now, done a lot of HTML since I was little, but never got into more advanced websites with php & stuff like that. I actually had never used JavaScript until 4 months ago, when I started getting into things again...

Enough about that though. The issue I'm having is that I don't know what to do. I have been trying to make some login & register pages, and the commands are pretty easy to understand ( been watching youtube, searching on forums & other websites ) - But can't seem to figure this out.
I made a register & login that used the POST method, and I was told that this wasn't a very good thing, and that I should find a different way to do it (?)

Could anyone please tell me what I could use instead of the POST methods?
-Using PHP & MYSQLI

Register starts of like this :
rjrVdII.png


Login code starts like this :
Q21rOGA.png
 

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,637
2,389
There's only POST and GET to submit a form in PHP.

Is this a question asking which is best to use, or is there something wrong with your code, by which I mean it doesn't work how you expect it to?

I'd recommend POST with a login form.
 

Deezi

I have a custom title
Nov 14, 2016
50
12
There's only POST and GET to submit a form in PHP.

Is this a question asking which is best to use, or is there something wrong with your code, by which I mean it doesn't work how you expect it to?

I'd recommend POST with a login form.
The form works perfectly fine, I have just been told by a lot of people that I shouldn't be using POST for both register & login, which I don't really understand, as I can't find any other ways..

But, what you're saying is that using POST is fine?
 

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,637
2,389
The form works perfectly fine, I have just been told by a lot of people that I shouldn't be using POST for both register & login, which I don't really understand, as I can't find any other ways..

But, what you're saying is that using POST is fine?
POST is absolutely fine. I can't see why people are not recommending it. The only difference really is that GET sends the form parameters through the URL string, and then your PHP file will pick them up (obviously only if you're telling it to by accessing the $_GET array).

So if your username and password fields were called 'uname' and 'pword', and your login file was called 'login.php', upon clicking 'Login' or whatever you call the button, you would be sent to a page similar to this: login.php?uname=Markshall&pword=mypassword&login=Login

It also sends the button data too.

However, if you're using POST, it sends the same data, but keeps the form data out of the URL.

GET is mainly used for accessing and displaying details of a user, for example: user profiles, news articles etc

userprofile.php?userid=527
news.php?articleid=62


etc, etc.

So in a nutshell, yes, you can use POST and GET for logging in/registering, but I'd recommend POST, it's tidier and more professional. Companies such as Facebook/Twitter user this method.
 

RastaLulz

fight teh power
Staff member
May 3, 2010
3,926
3,920
To truly understand why you'd use GET or POST, you should learn what HTTP request methods actually are, and what their intended use cases are:


When you login/register a user, you're creating a new resource, be it a session and/or user.

Another reason you'd generally not want to use GET (in this case), is because as @Markshall pointed, the parameters will be a part of the URL. This is bad because you may have access logs on your server (among other places, both client and server side), and this could potentially expose sensitive user information.
 
Last edited:

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,637
2,389
Please use a secure system for the input like "htmlspecialchars" and a filter.

Then, use ', instead of ". It's fast.
What's the point in using htmlspecialchars? All he's doing is checking a query, it's not like he's outputting data from the database onto the page, so there's no need to use htmlspecialchars on the input. Also, he's using real escape string so that's just about secure enough.
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,128
2,456
The only way using POST could be insecure is when you aren't using HTTPS, which makes it vulnerable for MITM attacks. But this is a bit more avanced.

POST is basicly used for everything when submitting a form. You want to use GET for purposes like navigating. You don't want to put sensitive data into GET. Besides those two, there aren't really any other options when submitting a form with HTML/PHP.
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
The only way using POST could be insecure is when you aren't using HTTPS, which makes it vulnerable for MITM attacks. But this is a bit more avanced.

POST is basicly used for everything when submitting a form. You want to use GET for purposes like navigating. You don't want to put sensitive data into GET. Besides those two, there aren't really any other options when submitting a form with HTML/PHP.
Still vulnerable against brute force attacks, so not entirely true, unless you code a token that regenerates at every request. I simply made one that regenerates using session_id() and date("i") to prevent brute forcing.

Sent from my SM-G928F using Tapatalk
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,128
2,456
Still vulnerable against brute force attacks, so not entirely true, unless you code a token that regenerates at every request. I simply made one that regenerates using session_id() and date("i") to prevent brute forcing.

Sent from my SM-G928F using Tapatalk
Yeah or just limit it to 3 attempts every x amount of time?
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Yeah or just limit it to 3 attempts every x amount of time?
Too much of coding required.
PHP:
function getToken() 
{
    return hash('sha256', session_id() . date("H:i"));
}
As simple as that, but well both options are good.

Sent from my SM-G928F using Tapatalk
 
Status
Not open for further replies.

Users who are viewing this thread

Top