CHAPTER 03 Intermediate

Building Basic Login and Registration Systems

Updated: May 14, 2026

25 min read

# CHAPTER 3

1. Introduction

Every user journey begins with registration. To build an authentication system, we first need a mechanism to securely collect user data, store it in a database, and later retrieve it to verify their identity. In this chapter, we will design the database schema for a User, outline the registration workflow, and build the conceptual logic for a standard login form.

2. Learning Objectives

By the end of this chapter, you will be able to:

Design a relational database table for user storage.

Understand the Registration workflow (checking for duplicates).

Understand the Login workflow (fetching and comparing credentials).

Identify the necessary HTML form attributes for secure data transmission.

3. Beginner-Friendly Explanation

Imagine a private club.

Registration: A new person walks up, fills out a membership application, and hands it to the bouncer. The bouncer checks the club registry. If a person with that email already exists, he rejects the application. If not, he adds the new person's name and secret passcode to the registry book.

Login: The next night, the person returns. The bouncer asks for their email. The bouncer scans the registry book. If he can't find the email, he denies entry. If he finds it, he asks for the secret passcode. If it matches what is written in the book, the person is allowed inside.

4. Step 1: The Database Schema

Before writing application logic, we must design the users table in our database (e.g., MySQL or PostgreSQL).

SQL Schema:

sql

1234567

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    name VARCHAR(100) NOT NULL,
    email VARCHAR(255) NOT NULL UNIQUE,
    password VARCHAR(255) NOT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

*Crucial Detail:* Notice the UNIQUE constraint on the email column. This is your database's last line of defense against creating two accounts with the same email. Also, notice the password field is VARCHAR(255). Even if a user's password is "cat", we need a massive column size because we will soon be storing long, scrambled hashes instead of the raw password.

5. Step 2: The Registration HTML Form

When building forms to transmit passwords, you must configure two specific attributes.

html

1234567891011

<!-- method MUST be POST. action points to your backend route -->
<form action="/api/register" method="POST">
    <label>Email:</label>
    <input type="email" name="email" required>
    
    <label>Password:</label>
    <!-- type="password" hides the characters as dots on the screen -->
    <input type="password" name="password" required>
    
    <button type="submit">Create Account</button>
</form>

6. Step 3: The Registration Workflow (Backend Logic)

When the backend receives the POST request from the form above, it must follow a strict checklist. Let's look at the logic using a modern PHP example with PDO.

php

1234567891011121314151617181920212223242526

<?php
// Assuming $pdo is your database connection

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $email = $_POST[&#039;email'];
    $password = $_POST[&#039;password'];

    // 1. Check if the user already exists
    $stmt = $pdo->prepare("SELECT id FROM users WHERE email = ?");
    $stmt->execute([$email]);
    
    if ($stmt->fetch()) {
        die("Error: An account with this email already exists.");
    }

    // 2. Hash the password (We will cover this deeply in Chapter 4)
    // NEVER SKIP THIS STEP IN A REAL APPLICATION
    $hashedPassword = password_hash($password, PASSWORD_DEFAULT);

    // 3. Save the new user to the database
    $insertStmt = $pdo->prepare("INSERT INTO users (email, password) VALUES (?, ?)");
    $insertStmt->execute([$email, $hashedPassword]);

    echo "Registration successful! You may now log in.";
}
?>

The login logic is slightly different. We must fetch the user by email, and then mathematically verify the password.

php

12345678910111213141516171819202122232425

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $email = $_POST[&#039;email'];
    $loginPassword = $_POST[&#039;password'];

    // 1. Find the user by email
    $stmt = $pdo->prepare("SELECT id, password FROM users WHERE email = ?");
    $stmt->execute([$email]);
    $user = $stmt->fetch();

    // 2. Verify existence AND password match
    // password_verify() safely compares the plain text to the database hash
    if ($user && password_verify($loginPassword, $user[&#039;password'])) {
        
        // 3. Authentication Passed!
        // Start a session (Covered in Chapter 5)
        echo "Login Successful! Welcome.";
        
    } else {
        // 4. Authentication Failed!
        // Use a vague error message.
        echo "Error: Invalid email or password.";
    }
}
?>

8. Backend Workflow: Form Validation

In the examples above, we grabbed $POST['email'] directly. In a professional application, you must sanitize and validate this data first. Is it actually an email format? Is the password at least 8 characters long? Does the password contain a number and a symbol? Enforcing these rules during the Registration workflow prevents weak security policies.
9. Best Practices

Case-Insensitive Emails: Users often accidentally capitalize the first letter of their email on mobile phones (e.g., John@example.com). When storing or looking up emails in the database, always convert the input string to lowercase first (e.g., strtolower($email) in PHP) to prevent duplicate accounts and login frustrations.

10. Common Mistakes

Using GET for Passwords: If you write <form method="GET">, the user's password will be appended directly to the URL in plain text: http://yoursite.com/login?email=a@a.com&password=mysecret. This URL is saved in the browser's history and server logs for anyone to read. ALWAYS use POST for authentication forms.

11. Exercises

1. Trace the logical flow of the Login process. Why do we query the database for the user's email *before* we attempt to verify their password?

12. Coding Challenges

Challenge: Look at the Login workflow in Step 4. Rewrite this logic conceptually using Node.js/Express syntax, assuming you have a User.findOne({ email: req.body.email }) function available to query a MongoDB database.

13. MCQs with Answers

Question 1

When designing an HTML login form, which attribute configuration is an absolute security requirement?

Question 2

During the registration process, what is the most critical database-level constraint to place on the email column?

14. Interview Questions

Q: Walk me through the backend workflow of a user registration process. What checks must be performed before executing the SQL INSERT statement?

Q: Explain why it is important to standardize email inputs (e.g., forcing lowercase) during both the registration and login processes.

15. FAQs

Q: Can I use a username instead of an email for login? A: Yes, the logic is identical. However, using emails is the modern industry standard because it provides a built-in mechanism for "Forgot Password" workflows and verifies that the user has a valid communication channel.

16. Summary

In Chapter 3, we laid the mechanical groundwork for an authentication system. We designed a SQL database schema utilizing the UNIQUE constraint for emails. We established the HTML form requirements for securely transmitting data. Most importantly, we mapped out the backend programmatic logic for both Registration (checking for duplicates, hashing, and inserting) and Login (fetching by email and verifying the hash), forming the backbone of user identity.

17. Next Chapter Recommendation

In our pseudo-code, we touched upon password_hash(). Why is this function so critical? Proceed to Chapter 4: Password Hashing and Security.

Browse All 21+ Subject Areas

Quick Links

Visual Algorithm Labs

Frontend Dev

The Future of Web Architecture in 2026

Practice Quizzes