Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Building a member login system

I'm currently designing a new game and I want to monetize via Free to Play methods and subscriptions.

So, I need to create a backend to allow for players to create an account/log in across multiple platforms, and eventually hook into authorize.net or similar to process payments. This has to hook in to a javascript-based (and mobile) game and determine the content the player has access to.

Treehouse seems to only have basics of PHP and mySQL. Is there anywhere I can find an indepth course for how to create a secure log in system?

Alternatively, can anyone suggest a prebuilt solution for this, like a backend-as-a-service product?

1 Answer

You're definitely thinking in the right direction. Security is the hardest part because you not only have the front-end security aspect to be concerned about, but you also have the backend security to be worried about. This is why systems like Google AppEngine and Heroku are so popular, you get to push all of the backend concerns off onto them, whereas something like a VPS will leave you mostly liable for the backend security.

Obviously, you can make your own login system, but for a truly secure system, you need a secure way to store/validate the passwords and other login information, as well as protect yourself from all forms of injections like SQL, PHP, etc. So there is a lot of validation that needs to be put in place.

My Solutions

There are a couple of options you can use. From an enterprise perspective you have login management systems like RSA's ClearTrust and CA's Siteminder. Those might be a bit robust and expensive though.

You can also make use of a CMS system's login and user management, such as WordPress. Obviously, you don't want to shoehorn WordPress into the mix just for its login management system, it just wouldn't make sense. If it fits though, then great.

My best suggestion: use oAuth. It's secure, widely supported and there are a ton of libraries. On top of that, it will allow your users to choose which social media account they want to use to login with. More about oAuth: http://oauth.net/

As for Payments, Stripe has an easy interface to integrate with. More about Stripe: https://stripe.com/

I'm sure you can also find some PHP libraries that will allow you to process to Authorize.net if you prefer to not code to their interface on your own. In fact, there are probably libraries available for most processors. Actually, it looks like Auth.net provides their own PHP software development kit: http://developer.authorize.net/downloads/ which will make coding to them super simple.

Again, you can leverage a CMS like WordPress and plugins like WooCommerce or Paid Memberships Pro to not only handle the membership aspect but also all of the payment heavy lifting. Again, that only works if something like WordPress can fit with your project.

Thanks, Kris. I really appreciate the links, for oAuth and stripe. The WordPress idea is an interesting one, especially given the nature of the content I'm producing (cool, seeing as how you couldn't have known that), but; Am I right in thinking that wouldn't work given the need to log in from a mobile app as well?

There's probably a plugin that would allow that kind of syncing, or if you're familiar enough with WordPress, you could probably write the PHP to manage it, if the WordPress idea fits with what you're doing.

Update: It actually looks like WordPress might have done the heavy lifting. They have a thing called the XML RPC API that allows you to send remote messages to the xmlrpc.php file in WordPress. This allows login validation so you could probably use that in the mobile app. Of course, you'll need to dig into it a bit more to make sure it fits your whole use case :-)

http://codex.wordpress.org/XML-RPC_WordPress_API

Also, there's a cool WordPress plugin called Easy Digital Downloads (free- https://easydigitaldownloads.com/) that has an API Key manager addon (paid- https://easydigitaldownloads.com/extensions/software-licensing/) and by assigning an API key to someone's user account, you could use the API key as a way to validate the person using the app has an account and which user account is their's. You'd just need to figure out how to get their API key into their installation of your app on their phone without having them manually type it in. I mean, you could have them manually type it in, or copy/paste it, but that doesn't seem as user friendly as having them login through the app, then having the app remotely retrieve the API key and store it in the app. Sorry if none of this is clear at all. They're advanced concepts.