Back to Notes
Security Feb 10, 2026
What I learned building a secure login system in PHP + MySQL
By Omar Mubaidin
The Challenge
Building authentication seems simple until you start thinking about security. For HTU Martial Arts, I needed a system that wasn't just "functional" but actually secure.
Key Learnings
- Password Hashing: Why MD5 is dead and why
password_hash()(Bcrypt/Argon2) is the standard. - SQL Injection: Using prepared statements seems obvious now, but seeing how easy it is to inject SQL into raw queries was a wake-up call.
- Session Management: Handling session fixation and using secure, HTTP-only cookies.
This project taught me that security is not a feature you add at the end, but a mindset you start with.