How to sing in and sign up using php

1. Database Table (user_login)

The table structure for the user_login table looks good for storing user information. One suggestion would be to make the id column an AUTO_INCREMENT field to automatically generate unique IDs for users.

CREATE TABLE `user_login` (
  `id` int(6) NOT NULL AUTO_INCREMENT PRIMARY KEY,
  `fname` varchar(40) NOT NULL,
  `lname` varchar(40) NOT NULL,
  `email` varchar(50) NOT NULL UNIQUE,
  `phone_number` varchar(10) NOT NULL,
  `password` varchar(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

• The  password column size should be increased  255 to accommodate hashed passwords.

• You should also mark email as UNIQUE to avoid duplicate entries.

2. Error Handling (error.php)

This code handles the display of error messages correctly. It checks for errors and outputs them in a div. It’s good practice to make sure the errors array is initialized in your server.php file to avoid any warnings if the array is not defined.

<?php if (!empty($errors)) : ?>
    <div class="error">
        <?php foreach ($errors as $error) : ?>
            <p><?php echo $error; ?></p>
        <?php endforeach ?>
    </div>
<?php endif ?>

3. Home Page (index.php)

The home page redirects users to the signin.php page if they are not logged in, which is a good security practice. You’re checking if the user is logged in by verifying the session.

Consider displaying a more user-friendly logout message:

<p><a href="index.php?logout='1'" style="color: red;">Logout</a></p>

4. Registration Page (register.php)

The registration form includes input fields for the user's first name, last name, email, phone number, and password.

• You should also validate the phone number format, ensuring it matches a valid phone number pattern.

• Make sure you hash the password before saving it to the database for security reasons (use password_hash() instead of md5()).

Here’s a sample update:

$password = password_hash($password_1, PASSWORD_DEFAULT); // Hash the password before saving

5. Server-side Logic (server.php)

The server-side logic includes user registration and login functionality. It’s good practice to check if the user exists before performing operations like inserting or selecting.

You’re correctly checking if the passwords match during registration. The password_verify() function is useful for verifying hashed passwords during login.

You can update the login part as follows:

// Login User
if (isset($_POST['login_user'])) {
    $email = mysqli_real_escape_string($db, $_POST['email']);
    $password = mysqli_real_escape_string($db, $_POST['password']);
    
    // Check for errors
    if (empty($email)) {
        array_push($errors, '<div class="alert alert-danger" role="alert">Email is required</div>');
    }
    if (empty($password)) {
        array_push($errors, '<div class="alert alert-danger" role="alert">Password is required</div>');
    }

    // If no errors, verify password
    if (count($errors) == 0) {
        $query = "SELECT * FROM user_login WHERE email='$email' LIMIT 1";
        $results = mysqli_query($db, $query);
        $user = mysqli_fetch_assoc($results);
        
        if ($user && password_verify($password, $user['password'])) {
            $_SESSION['email'] = $email;
            $_SESSION['success'] = "You are now logged in";
            header('location: index.php');
        } else {
            array_push($errors, '<div class="alert alert-danger" role="alert">Wrong email/password. Please try again.</div>');
        }
    }
}

6. Login Page (signin.php)

This is a clean login page, and it includes the necessary form fields. You can improve the security of the login process by using password_verify() for password matching.

Additional Suggestions:

1. Security Improvements:

   • Always hash passwords using password_hash() and verify them with password_verify() to ensure proper security.

   • Consider adding a "Remember Me" functionality by setting a session cookie if the user selects the checkbox.

2. Prevent SQL Injection:

   • You're already using mysqli_real_escape_string(), which is great for preventing SQL injection. For even better security, you could use prepared statements (using mysqli_prepare()).

Let me know if you need more specific changes or have any questions!