Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

WordPress

Login System for Custom User Table in WordPress

Hello,

Please I need help with this.

I wrote a basic code to create a login form that will validate, retrieve data and display on my dashboard but I have the following challenges:

  1. It always displays "Invalid login details" whether I enter the right details or not.
  2. I don't know how to retrieve the data and display the data of the logged in user in my dashboard
  3. I wish to use sessions like I would in PHP but I don't know how to do that

Kindly note that I created a new table in the database and I'm not using the default users table in WordPress.

Please find my code below

function login_form ()
{

    $loginform = '';

    $loginform .= '<form method="post" action="https://mysite.com/dashboard/">';
    $loginform .= '<br />';
    $loginform .= '<br />';

    $loginform .= '<input type="text" size="40" name="email" placeholder="Email">';
    $loginform .= '<br />';
    $loginform .= '<br />';

    $loginform .= '<input type="password" size="40" name="passcode" placeholder="Password">';
    $loginform .= '<br />';
    $loginform .= '<br />';

    $loginform .= '<input type="submit" name="login_submit" value="Log In">';

    $loginform .= '</form>';
    $loginform .= '<br />';


    return $loginform;

}
add_shortcode('my_login','login_form');



function login_form_mail()
{
    if (array_key_exists('login_submit', $_POST))
    {

        global $wpdb;

        $loginusername = $_POST['email'];
        $loginpassword = $_POST['passcode']; 

        $retrieveUsername = $wpdb->get_var(" SELECT email FROM ".$wpdb->prefix."my_dataform WHERE email = '$loginusername'");

        $retrievePassword = $wpdb->get_var(" SELECT passcode FROM ".$wpdb->prefix."my_dataform WHERE passcode = '$loginpassword'");

       if ($loginusername == $retrieveUsername && $loginpassword == $retrievePassword)
       {
            echo 'Welcome ".$loginusername."';
       }
       else
       {
            echo 'Invalid login details';
       }
    }


} 
add_action('wp_head','login_form_mail');

1 Answer

Cayman, This raises some serious red flags, man. I would really advise you not to try to create your own login system, there is so much you have to be aware of security-wise to do this safely and not get all of your user's data compromised, which could turn into a legal or financial crisis for you. Just to give you the first red flag, you are clearly storing your user's passwords in plain text in your database. That is a major no-no because it leaves your user credentials wide open to any hacker that breaches your database. The proper way to store passwords is to first "hash" them using a strong one-way encryption algorithm, ideally generating a unique "salt" for every user and combining their password and their salt and then hashing that (so hackers can't use a "rainbow table" to brute-force users' logins). Another red flag: you are not sanitizing your user inputs at all before you put them into raw SQL queries. This is another major no-no because it leaves your application wide open to SQL injection attacks, one of the most common and damaging ways hackers breach sites and get sensitive database contents. My best advice is to use an existing login system that has been battle-tested by security experts who know all the ways to securely handle user authentication and management. If you really need to create your own, you first need to read the OWASP Top 10 and start digging way deeper into SQL prepared statements (PDO for PHP), sanitizing inputs, and lots of other security concerns. As with shopping cart/credit card payment systems, user management is not a trivial thing for developers to build themselves.

Thanks so much for this Eric. I really appreciate it.

The reason I didn't want to use the default wordpress users table is that I need to add lots of other fields and I also wouldn't be needing many of those default fields that came with the table.

What I'm trying to do here is to allow users to create an account by filling a form with specific field.

I will also perform lots of operations on those fields.

Do you think the default wordpress users table will help with this?

If yes, can you please give me a headstart?

Thanks.

I haven't used any, but I would recommend finding and implementing a user management plugin. A quick Google search makes me think WP User Manager or Profile Extra Fields could be okay, seem to handle what you need, have been updated recently and are rated well/used by enough people but again, I haven't used either so you need to do your own vetting. There's also this listicle with some other plugin options to consider - I didn't look much into any of them though.

And regarding not needing the default fields in the existing wp_users table, do not delete any of them. They aren't just there for your direct use, your application uses them and if they're suddenly absent you risk breaking your site.

Good luck and keep your users' privacy and security in mind, whatever you wind up building.