How to Create Secure Registration Page in PHP/MySQL Part I

Submitted by GeePee on Saturday, May 30, 2015 - 00:10.
By secured we mean that we need to sanitize the data that is passed to our script in order to secure the registration of new account or user. There are three different types of connectivity in MySQL. They are: mysql = old MySQL function mysqli = improved MySQL function pdo = using prepared statement Mysql_connect is currently not supported in PHP version 5.5.0. So the option left are mysqli and pdo. In this tutorial, I will use mysql as there are still so many wanna be programmers who are using it. But we will sanitize it so it will still look secured. Let us prepare our database table. Database name: login Database table: member Using phpMyAdmin, create a database called "login". Now select the database that you have created. Click on the SQL tab and paste the following sql code.
  1. CREATE TABLE `login`.`member` (
  2.   `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
  3.   `username` VARCHAR(30) NOT NULL,
  4.   `password` CHAR(128) NOT NULL,
  5.   `email` VARCHAR(50) NOT NULL,
  6.   `salt` CHAR(128) NOT NULL
  7. ) ENGINE = InnoDB;
Create a Registration Form called "registration.html". For the meantime let's use table for our design.
  1. <!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2. <html xmlns="http://www.w3.org/1999/xhtml">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5. <title>Register</title>
  6. </head>
  7.  
  8. <body>
  9. <form name="register" action="register.php" method="post">
  10.         <table width="510" border="0">
  11.                 <tr>
  12.                         <td colspan="2"><p><strong>Registration Form</strong></p></td>
  13.                 </tr>
  14.                 <tr>
  15.                         <td>Username:</td>
  16.                         <td><input type="text" name="username" maxlength="20" /></td>
  17.                 </tr>
  18.                 <tr>
  19.                         <td>Password:</td>
  20.                         <td><input type="password" name="password1" /></td>
  21.                 </tr>
  22.                 <tr>
  23.                         <td>Confirm Password:</td>
  24.                         <td><input type="password" name="password2" /></td>
  25.                 </tr>
  26.                 <tr>
  27.                         <td>Email:</td>
  28.                         <td><input type="text" name="email" id="email" /></td>
  29.                 </tr>
  30.                 <tr>
  31.                         <td>&nbsp;</td>
  32.                         <td><input type="submit" value="Register" /></td>
  33.                 </tr>
  34.         </table>
  35. </form>
  36. </body>
  37. </html>
Now create registration script called "register.php". First, let us receive the data from our registration form.
  1. <?php
  2. //retrieve our data from POST
  3. $username = $_POST['username'];
  4. $password1 = $_POST['password1'];
  5. $password2 = $_POST['password2'];
  6. $email = $_POST['email'];
  7.  
  8. if($password1 != $password2)
  9.     header('Location: registration.html');
  10.  
  11. if(strlen($username) > 30)
  12.     header('Location: registration.html');
Secure password using salt. This is called password hashing using salt. You can find more info about this at http://php.net/manual/en/faq.passwords.php
  1. $hash = hash('sha256', $password1);
  2.  
  3. function createSalt()
  4. {
  5.     $text = md5(uniqid(rand(), true));
  6.     return substr($text, 0, 3);
  7. }
  8.  
  9. $salt = createSalt();
  10. $password = hash('sha256', $salt . $hash);
Insert the value into "member" table.
  1. $conn = mysql_connect('localhost', 'root', '');
  2. mysql_select_db('login', $conn);
  3.  
  4. //sanitize username
  5. $username = mysql_real_escape_string($username);
  6.  
  7. $query = "INSERT INTO member ( username, password, email, salt )
  8.        VALUES ( '$username', '$password', '$email', '$salt' );";
  9. mysql_query($query);
  10.  
  12.  
  13. header('Location: login.php');
  14. ?>
The important code here is the "mysql_real_escape_string". This will escape all character use for sql injection. So, only valid character will be used. As I've said earlier, we will use the obsolete or depreciated function called mysql_connect. We will be creating another tutorial on how to use mysqli_connect in our next tutorial.
Tags
php
Registration Page

Add new comment

About text formats
  • 424 views