About the author

Yogesh Koli

Yogesh Koli is a software engineer & a Blogger lives in India. He's driven by an addiction to learning and a love for adventure. he has 5+ years of experience working with the front-end, back-end, web application development, and system design.

Leave a Comment


  • Hi, thank you for your tutorial. I have an error for DB() … it says it is undefined function. what should I do?

  • I have an error on this login please help me!

    this is my error: Fatal error: Uncaught Error: Call to undefined function DB() in C:\xampp\htdocs\login\lib\library.php:67 Stack trace: #0 C:\xampp\htdocs\login\index.php(54): DemoLib->isEmail(‘pobsina@gmail.c…’) #1 {main} thrown in C:\xampp\htdocs\login\lib\library.php on line 67

  • Why don’t you require or include database.php on the index.php file? With the current way your script is written, it’s impossible for the register / login to work.

  • Hi Thank you for your tutorial, I get a problem with $db=DB(); it says undefined. I have separated user registration into another file and library in another file. Need your assistance if possible.

  • Hi, how would I go about redirecting the user to their profile page with “php?id=” in the address bar? Also, I’m curious if there is a way to share this link with other users?

  • Besides the use of sha256 instead of PHP’s built in password functions there are a couple of problematic samples in this article that I wouldn’t want novices to pick up as good habits.

    First, using constants for your database credentials is an unneeded global dependency for your DB() function. They really should be passed into DB as parameters. Consequently, DB() should be injected as a dependency to the DemoLib class, not pulled in from the global scope via $db = DB().

    Second, password should be uniquely salted not just hashed. Again, there’s a reason PHP added password_hash, just use it.

    The way validation is handled, you can only ever return one error to the user at a time. So if someone forgets to put in a value for name and email, they’ll be submitting the form a second time.

    The form should use a CSRF token to protect the form. Again, I understand this is for novices, but showing how to build a login form without one is dangerous.

    Also, I just noticed that $_POST[‘name’] is saved to the database and later displayed with name ?>, which could be vulnerable to XSS since the output is not being escaped with html_entities.

      • Great! Although for #3 – you should never rely solely on clientside validation. You’ll still need to validate input with PHP (clients can misbehave or someone could do a POST to your form with using your HTML). For #5 – yes PDO with prepared statements guards you from SQL Injection attacks but if you’re storing what the user suppleis and then echo’ing without escaping, that’s a XSS vector.