Try out my first PHP web app!

[chrisburton]

I understand doing that with usernames, but why do it with passwords? That’s like the opposite of good password practice.

+1

[__]

• Passwords should allow any characters.
  Never alter passwords the user submits: only accept or reject them.
• Good passwords should have a minimum length (12+ characters; even more is even better).
  To avoid problems with HTTP and/or DDOS attacks, a maximum length of 150 or so is acceptable.
• Better passwords should include a good variety of characters (letters, numbers, punctuation).
• Passwords should never be single words, names, dates, quotes or song lyrics.
• Passphrases (i.e., whole sentences) are far, far, far better than passwords.

[chrisburton]

Not to get too far off-topic but I’ve been watching this video tutorial series on creating a user system and it’s really awesome for learning about classes, functions and OOP. There’s 23 parts. You should take some time to watch it, @drose379.

I’ve also learned that when setting the host for a DB connection, it’s better to use 127.0.0.1 rather than localhost so the sever(?) doesn’t have to do a DNS lookup therefore, it’s faster.

https://www.youtube.com/watch?v=c_hNNAdyfQk

[chrisburton]

@drose379 Go back and read what I just wrote. I updated it and it may help with connecting to your database.

I have used prepared statements before but @traq is actually more educated in PHP than I am. I’m likely to have missed something but so far it looks good to me.

[chrisburton]

Your PDO connection looks like this, correct?:

new PDO('mysql:host=localhost;dbname=database', $user, $pass);

Just change localhost with 127.0.01.

[__]

edit

I’m leaving the next four paragraphs because they have useful info. However, I misread your actual question, so what I worte isn’t directly relevant to what you’re asking (just listen to @chrisburton instead). So, feel free to skip this part:

Practically every computer you work with will use 127.0.0.1 as its local address. If you’re working between machines on your local network, it will be different.

As an aside, there shouldn’t be any measurable performance difference between typing http://localhost and http://127.0.0.1. If you have multiple (or oddly configured) webservers running on your computer, or if you’re connecting to some other type of local server (e.g., a database server), then you might have problems… but in general, you shouldn’t.

(You can edit your hosts file and use whatever domain name you like for your local sites. If you’re on windows, it’s usually at %SystemRoot%\system32\drivers\etc\hosts; linux (and also mac AFAIK) are in /etc/hosts. I usually set up local domain names for new projects.)

Your webhost’s IP address can be found by using a whois lookup. Just google it. However, you probably do not want to use an IP address for your hosted website. Especially with shared hosts, it is highly unlikely that your site will be the only one using its IP address. The hostname is the only way you’ll be able to find your site reliably.

edit: start reading again here

your login script:

Yes, that’s how you use prepared statements.

However, that particular query is kind of useless. Why are you asking for the username when you already know the username? Why not ask for the password hash, so you don’t have to run a second statement just for that?

Have you sketched out an overall design for how your login process will work? I often use a process like this:

$sql = 'select password_hash from users where username=?';
//  ...prep/execute statement...

if( /* you got a result */ && password_verify( $password, $password_hash ) ){
    /*  log in  */
    /*  tell them it worked  */
}
else{
    /*  waste some time  */
    time_nanosleep( 0, 500000000 );
    /*  tell them it failed  */
}

[chrisburton]

@traq

This is where I saw it:

http://youtu.be/JQkfAdZbAJE?t=2m15s

[__]

I misread the question. (sorry! edited my post.)

As far as lookup time goes, DNS lookup for “localhost” happens on your local machine (that’s what the hosts file is for), so it will actually be much quicker than DNS lookup for any address you visit on the web. Yes, if you use the IP address you don’t need to do a lookup at all, but you will never notice the difference in speed.

Using the IP address for your DB connection actually has more to do with the possibility that “localhost” won’t successfully find your DB at all (so, yes, do it). “localhost” will either work or it won’t; it’s not a speed issue.

[chrisburton]

Thanks for the clarification. Can’t get it to work on Mamp when connecting to my DB. Either way, the author of the video makes it seem (even suggests ) that you’ll notice a difference. This is the kind of thing I hate about tutorials. Misrepresentation and misinformation.

[__]

This is the kind of thing I hate about tutorials. Misrepresentation and misinformation.

well… you win some, you lose some. In this case, it’s still good advice, even if the specific explanation doesn’t hold up. So, in the long run, whatever.

Was that vid from the series you recommended earlier? I watched the first three, and there were some things that weren’t great practice (mostly regarding the DB), but so far it seems like a solid tutorial and “smarter-than-the-av-er-age-bear” code. I’ll watch more later.

[chrisburton]

Was that vid from the series you recommended earlier?

Yes it is.

I watched the first three, and there were some things that weren’t great practice (mostly regarding the DB)

Can you elaborate?

[__]

He stores JSON in a column to represent a map of permissions. This makes the data “opaque” to the database. For example, if you wanted to find all of the “admin” users, you could not query the database to do it: you’d have to select all of the users, parse the JSON, and then check. You can imagine how impractical this might become if you had hundreds or thousands of users, of if the average permissions map was very long.

Instead, user→permission maps should be stored in their own tables in the DB. This way, the database can search and index them:

create table users(
    id serial primary key,
    --  . . .
);
create table permissions(
    name varchar(100) primary key,
    --  description, etc.
);
create table user_permissions(
    userid bigint unsigned,
    permission varchar(100),
    primary key(userid, permission),
    foreign key(userid) references users(id),
    foreign key(permission) references permissions(name)
);

I usually have a table of groups as well, which can assign several permissions at one go. There’s effectively only one group in this example, but it’d be nice if you could efficiently change that as needed in the future.

He also didn’t index his tables beyond assigning a primary key, though he might address this later in the series. The username, for example, should be indexed because it is so likely to be used in a “where” clause in queries. It should also be unique so you don’t have to rely on the application to make sure usernames aren’t duplicated (doing this in the DB would not only be simpler, it would prevent race conditions).

I also found it odd that he defined a global config, and then wrote a class to access it. It would have been so much better to just put the config array in the class.

…Watching a few more now.

[chrisburton]

Awesome clarification, @traq. This actually helps me with the comment system I’m building (slowly but surely).

The following is what I don’t understand

class Config {
    public static function get($path = null) {
    // Path is set to null

        if($path) {
        // Meaning, if $path is set to null?

            $config = $GLOBALS['config'];
            // Redefines the GLOBAL config to $config

            $path = explode('/', $path);
            // $path is redefined to what now? I thought it was null?

        ...

        }
    }
}

https://www.youtube.com/watch?v=S6vDgLwJ7n8

Edit: Duh. I should have rewatched the video. The answer starts at 3mins.

[chrisburton]

What’s with the quotes and single quotes ('$username', "$pass")? They’re already a string. Where is $pass coming from?

[chrisburton]

$query = "SELECT password FROM users WHERE username = :username";

The bind should happen on $username if I’m not mistaken.

But where is $pass coming from

[Author]

Posts