Lab 9: User Registration System (Part 1)

Resources

Overview

In this lab, you will implement a secure user registration system that allows customers to create accounts. You will build the database schema, a UserModel for data operations, validation logic, and a registration form with proper security measures including password hashing.

Part 2 covers login, sessions, middleware, and role-based access control.

Learning Objectives

Create a user database table with proper schema design.
Build a UserModel with CRUD operations.
Implement secure password hashing using password_hash().
Validate user input (required fields, email format, uniqueness, password strength).
Create a registration form with proper HTML structure.
Build an AuthController extending BaseController.
Apply the Result pattern for validation feedback.
Prevent common security vulnerabilities (SQL injection, XSS).

Prerequisites

Working Slim 4 application with BaseController pattern.
Flash Messages lab completed (FlashMessage helper).
MySQL database connection using PDOService.
BaseModel class available.
Bootstrap CSS included in views.
Access to phpMyAdmin for database management.

Step 1: Create the Users Database Table

Open phpMyAdmin in your browser
Select your project database
Click on the “SQL” tab
Execute the following SQL statement:

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    first_name VARCHAR(100) NOT NULL,
    last_name VARCHAR(100) NOT NULL,
    username VARCHAR(50) UNIQUE NOT NULL,
    email VARCHAR(100) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,
    role ENUM('admin', 'customer') DEFAULT 'customer',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
);

Click “Go” to execute the query
Verify the table was created by clicking on the “Structure” tab or running DESCRIBE users;

The UNIQUE constraints on email and username prevent duplicate accounts. VARCHAR(255) for password_hash handles bcrypt/Argon2 hashes. The ENUM restricts role values to 'admin' or 'customer'.

Step 2: Create the UserModel Class

Step 2.1: Class Structure

Create a UserModel class in the app/Domain/Models/ directory. This model handles all database operations related to users. Follow the same pattern as ProductsModel: use the namespace App\Domain\Models, extend BaseModel, and add a constructor that accepts PDOService and passes it to the parent.

Step 2.2: Implement `createUser()` Method

This method inserts a new user with a hashed password. Never store passwords in plain text. If the database is compromised, hashed passwords still protect users.

1
public function createUser(array $data): int
2
{
3
    // TODO: Hash the password before storing it
4

5
    // TODO: Insert the user into the database
6

7
    // TODO: Return the new user's ID
8
}

Step 2.3: Implement `findByEmail()` Method

1
public function findByEmail(string $email): ?array
2
{
3
    // TODO: Look up a single user by their email address
4
    //       Return the user data or null if not found
5
}

Step 2.4: Implement `findByUsername()` Method

1
public function findByUsername(string $username): ?array
2
{
3
    // TODO: Look up a single user by their username
4
    //       Return the user data or null if not found
5
}

Step 2.5: Implement Existence Check Methods

These methods check whether an email or username is already taken during registration.

1
public function emailExists(string $email): bool
2
{
3
    // TODO: Check whether a user with this email already exists in the database
4
}
5

6
public function usernameExists(string $username): bool
7
{
8
    // TODO: Check whether a user with this username already exists in the database
9
}

Step 3: Create the Registration Form View

Create app/Views/auth/register.php:

1
<?php
2

3
use App\Helpers\ViewHelper;
4

5
ViewHelper::loadHeader($title);
6
?>
7

8
<div class="row justify-content-center">
9
    <div class="col-md-6">
10
        <div class="card">
11
            <div class="card-header">
12
                <h3 class="text-center">Create Account</h3>
13
            </div>
14
            <div class="card-body">
15
                <form method="POST" action="<?= APP_BASE_URL ?>/register">
16
                    <div class="mb-3">
17
                        <label for="first_name" class="form-label">First Name</label>
18
                        <input type="text" class="form-control" id="first_name" name="first_name" required>
19
                    </div>
20

21
                    <div class="mb-3">
22
                        <label for="last_name" class="form-label">Last Name</label>
23
                        <input type="text" class="form-control" id="last_name" name="last_name" required>
24
                    </div>
25

26
                    <div class="mb-3">
27
                        <label for="username" class="form-label">Username</label>
28
                        <input type="text" class="form-control" id="username" name="username" required>
29
                    </div>
30

31
                    <div class="mb-3">
32
                        <label for="email" class="form-label">Email Address</label>
33
                        <input type="email" class="form-control" id="email" name="email" required>
34
                    </div>
35

36
                    <div class="mb-3">
37
                        <label for="password" class="form-label">Password</label>
38
                        <input type="password" class="form-control" id="password" name="password" required>
39
                        <div class="form-text">
40
                            Password must be at least 8 characters long and contain at least one number.
41
                        </div>
42
                    </div>
43

44
                    <div class="mb-3">
45
                        <label for="confirm_password" class="form-label">Confirm Password</label>
46
                        <input type="password" class="form-control" id="confirm_password" name="confirm_password" required>
47
                    </div>
48

49
                    <div class="d-grid gap-2">
50
                        <button type="submit" class="btn btn-primary">Register</button>
51
                    </div>
52
                </form>
53

54
                <div class="mt-3 text-center">
55
                    <p>Already have an account? <a href="<?= APP_BASE_URL ?>/login">Login here</a></p>
56
                </div>
57
            </div>
58
        </div>
59
    </div>
60
</div>
61

62
<?php ViewHelper::loadFooter(); ?>

Step 4: Create AuthController with Registration Logic

Create app/Controllers/AuthController.php. Follow the same pattern as your other controllers: extend BaseController and inject UserModel via the constructor.

The controller needs two methods:

Step 4.1: `register()` Method

This method handles GET requests and displays the registration form. Render the auth/register.php view with an appropriate page title.

Step 4.2: `store()` Method

This method handles POST requests and processes the registration form submission.

1
public function store(Request $request, Response $response, array $args): Response
2
{
3
    // TODO: Extract the submitted form fields from the request
4

5
    // TODO: Validate all fields:
6
    //       - All fields are required
7
    //       - Email must be a valid format
8
    //       - Email must not already be registered
9
    //       - Username must not already be taken
10
    //       - Password must be at least 8 characters and contain at least one number
11
    //       - Password and confirmation must match
12
    //       Collect any validation errors into an array.
13

14
    // TODO: If validation fails, display the first error as a flash message
15
    //       and redirect to the registration page
16

17
    // TODO: Build the user data array and hardcode the role as 'customer'.
18
    //       Create the user using the UserModel.
19
    //       On success, display a success flash message and redirect to the login page.
20
    //       On failure, display an error flash message and redirect to the registration page.
21
}

Step 5: Register Routes

Open app/Routes/web-routes.php and add:

1
use App\Controllers\AuthController;
2

3
// TODO: Create a GET route for '/register' that maps to AuthController::class 'register' method
4
//       Set the route name to 'auth.register'
5

6
// TODO: Create a POST route for '/register' that maps to AuthController::class 'store' method

Testing Your Implementation

Valid Registration

Visit http://localhost/[your-app]/register
Fill in all fields with valid data
Click “Register”
You should see a success message and be redirected to the login page

Validation Errors

Test each validation rule by submitting the form with:

Empty fields: should show “All fields are required.”
Invalid email (e.g., “notanemail”): should show “Invalid email format.”
Duplicate email (register twice with the same email): should show “Email already registered.”
Duplicate username: should show “Username already taken.”
Short password (less than 8 characters): should show “Password must be at least 8 characters long.”
Password without a number (e.g., “password”): should show “Password must contain at least one number.”
Mismatched passwords: should show “Passwords do not match.”

Password Hashing Verification

Register a new user
Open phpMyAdmin and browse the users table
Check the password_hash column: it should contain a long string starting with $2y$ (bcrypt), not the plain-text password

Test Your Understanding

Next Steps

Continue to Part 2 to implement:

User login with password verification
Session management
Route protection with middleware
Role-based access control (admin vs customer)
Dashboard views