

How to Build a Full-Featured Login System - unidox
http://gigaspartan.com/2010/11/26/how-to-build-a-full-featured-login-system/

======
mryan
I apologise in advance for sounding harsh.

This is a terrible tutorial, and is in fact harmful to any who reads it
expecting to learn how to make a login system. If you are planning to learn
PHP I urge you to stay away from this tutorial (or use it as an example of how
not to do it).

First off, I am not a PHP expert, but I think the scrips produced by this
tutorial might be vulnerable to SQL injection and other attacks [1], due to
naive cleaning of user input.

Secondly, and the main reason this tutorial has irked me: Unless I am missing
something very simple, you are storing your passwords in plain text. Why are
you not hashing the passwords with a per-user salt? Even md5ing them with no
salt would be slightly better than storing the passwords in plain text.

Reading through the comments on your post, it appears there are a lot of
people who think this is a great tutorial, and who are presumably going to use
this in their own projects. Unless they do some additional research they will
be implementing an insecure system.

It is great to see people writing tutorials and sharing their knowledge.
However, writing a tutorial when (with respect) you do not know enough about
the problem area is worse than useless, it is harmful to the people who read
it.

As a starting point, the OWASP project has some useful information on handling
password authentication and hashing [2].

1: [http://dev.mysql.com/tech-resources/articles/guide-to-php-
se...](http://dev.mysql.com/tech-resources/articles/guide-to-php-security-
ch3.pdf) 2: <http://www.owasp.org/index.php/Guide_to_Authentication>

