The examples on this site are currently tested to work on Phalcon V3.4 and Phalcon Devtools V3.2 Some issues may arise when using later versions.

Please get in touch or post a comment below the post if you encounter a problem.

To create a user in your system with a username and password you'll need an appropriate database table. The following table contains a typical set of attributes along with some fields for the system administrator including the times and dates the user was created/updated. The status field will be used to describe whether a user is active or expired.

drop table if exists user;
create table user (
	id int auto_increment,
	username varchar(30),
	password varchar(255),
	firstname varchar(30),
	surname varchar(30),
	emailAddress varchar(70),
	role varchar(30),
	validationkey varchar(255),
	status varchar(255),
	createdat datetime,
	updatedat datetime,
	primary key(id)
);
Once the table has been created in the database scaffold it to create a model, controller and views.
phalcon scaffold user --get-set --ns-models=tennisClub

This will produce the following


For this table only the username, firstname, surname, and email address should be supplied by the user on setup. The other fields, which are for administrative use, will be automatically set in the user controller. In order to achieve this we need to modify the view associated with creating new users so edit app/views/user/new.phtml and remove the fields for role, validationkey, status, updatedat, and createdat. For each field remove the form-group div and everything inside it associated with that field. While you're modifying the new.phtml view take the opportunity to change the tag on the password field from textField to passwordField this will ensure that nobody can see the password when it's being typed in. Change the following:

to


Next edit the app/controllers/UserController.php file which was generated by the scaffold. When the new.phtml form is submitted it calls the createAction(). Modify this function. Find the lines which set the role, validationkey, status, updatedat, and createdat fields with values from the form and replace those lines with the following lines:
$user->setrole("Registered User");
$user->setstatus("Active");
$user->setvalidationkey(md5($this->request->getPost("username") . uniqid()));
$user->setcreatedat((new DateTime())->format("Y-m-d H:i:s"));//will set to the current date/time

The validation key is a unique code for this user. Functionality can be added at a later stage which allows the application to send an email to the user which can use this code to validate the user's email address.

In addition, we need to change the line which sets the password to allow the password to be hashed before it is stored in the database.

$user->setpassword($this->security->hash($this->request->getPost("password")));

The security service in phalcon provides a range of tools associated with security these are described here https://docs.phalconphp.com/en/latest/security. It's worth noting that the standard password hash function within Phalcon uses bcrypt which is a work-factor based encryption tool which is acknowledged as the current (at the time of writing) leading way to ensure against brute force attacks. Other frameworks allow for the use of bcrypt but do not include it out of the box.

This helps to protect the system from brute force attacks. The modified code will now look like the screenshot below.


Lastly we will add some validation. There are many things that we might like to validate about a users details including whether the email address is correctly formed and whether a strong password has been used. Although phalcon provides mechanisms for both of these they can also be verified using client-side scripting from within the browser before submit. For a more detailed explanation of various validation techniques you can have a look at the Validation section of the site. For now we will simply add a UniquenessValidator to the user model to verify that the username supplied has not previously been chosen. This would be difficult to do using client-side scripting as it requires looking in the database. To add a UniquenessValidator edit app/models/User.php. Add the following use statements to the top of the file with the other use statements.

use Phalcon\Validation;
use Phalcon\Validation\Validator\Uniqueness as UniquenessValidator;
Now add the following function to the User class.
public function validation()
{
   $validator= new Validation();
   $uValidator = new UniquenessValidator(["message" => "this userName has already been chosen"]);
   $validator->add('username', $uValidator);
   return $this->validate($validator);
}

Now you can add new users with unique usernames and passwords which are stored securely.