0

This is probably not secure but ignore that. Ive made a simple homepage with login, registration and logout. But im having a problem storing the password in my database. It somewhat looks hashed/salted. I dont understand much when Im not hashing it myself. In fact I have no experience with salting at all, so please dont come with a professional solution.

This is how it looks like in the database after registration: The database has the following attributes: id, username, password, email:

9, test, *94BDCEBE19083CE, [email protected]

But should look like this:

9, test, test, [email protected]

My registration.php looks like this:

<html>
    <head>
        <link rel="stylesheet" type="text/css" href="styles.css">
    </head>
    <body>
        <?php
        // loggin in and selects the database
        include ("dbConfig.php");

        //Input vaildation and the dbase code
        if ( $_GET["op"] == "reg" )
         {
         $bInputFlag = false;
         foreach ( $_POST as $field )
            {
            if ($field == "")
           {
           $bInputFlag = false;
           }
            else
           {
           $bInputFlag = true;
           }
            }
         // If we had problems with the input, exit with error
         if ($bInputFlag == false)
            {
            die( "Problem with your registration info. "
           ."Please go back and try again.");
            }

         // Fields are clear, add user to database
         //  Setup query
         $q = "INSERT INTO dbUsers (username, password , email ) "
            ."VALUES ('".$_POST["username"]."', "
            ."PASSWORD('".$_POST["password"]."'), "
            ."'".$_POST["email"]."')";
         //  Run query
         $r = mysql_query($q);

         // Make sure query inserted user successfully
         if ( !mysql_insert_id() )
            {
            die("Error: User not added to database.");
            }
         else
            {
            // Redirect to thank you page.
            Header("Location: register.php?op=thanks");
            }
         } // end if


        //The thank you page
        elseif ( $_GET["op"] == "thanks" )
         {
         echo "<form action='members.php' method='POST'>";
         echo "<div class='panel'> <span><font color='lime'>Thanks for registering!</font></span>";
         echo "<label><input type='submit' class ='button' value='Back'></label></div></form>";
         }

        //The web form for input ability
        else
         {
         echo  "
         <div class='box'>
            <h1>Registration</h1>
            <form action=\"?op=reg\" method=\"POST\">
                <label> 
                    <span>Username</span>
                    <input autocomplete='off' class='input_text' name='username'>   
                </label>
                <label>
                    <span>Password</span>
                    <input autocomplete='off' class='input_text' type='password' name='password'>
                </label>
                <label> 
                    <span>Email</span>
                    <input autocomplete='off' class='input_text' name='email'>  
                </label>
                <label> 
                    <input type='submit' class='button' value='Registrer'>  
                </label>
            </form>
         </div>";
         }
        ?>
    </body>
</html>
Improve this question
5
  • stackoverflow.com/questions/2131252/… Commented Aug 25, 2012 at 14:26
  • 3
    Your code is vulnerable to SQL injection. You really should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of Bobby Tables. Commented Aug 25, 2012 at 14:36
  • 2
    Also, as stated in the introduction to the PHP manual chapter on the mysql_* functions: This extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API. Commented Aug 25, 2012 at 14:39
  • 1
    Why register on that site? Everybody can simply "login". Commented Aug 25, 2012 at 15:03
  • 1
    wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers Commented Aug 25, 2012 at 15:04

1 Answer 1

Reset to default
4

Just remove the PASSWORD() function from the SQL statement.

So you have to modify your code like this:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".$_POST["username"]."', "
        ."'".$_POST["password"]."', "
        ."'".$_POST["email"]."')";

Beware that this is unsecure because a SQL injection is possible. You can use prepared statements with the mysqli_* functions to prevent this. If you cannot use mysqli_* you can also use mysql_real_escape_string().

Your code would then look like this:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".mysql_real_escape_string($_POST["username"])."', "
        ."'".mysql_real_escape_string($_POST["password"])."', "
        ."'".mysql_real_escape_string($_POST["email"])."')";
Improve this answer
Sign up to request clarification or add additional context in comments.

13 Comments

That worked! Btw, how can i uncrypt the password from the database if i use the PASSWORD() function?
@rtc11: You can't. Hashing is designed to be a one-way function.
This kind of query exposes the server to immediate SQL injection attacks. All $_POST data must be properly escaped before use in a mysql query.
@Jocelyn: Thats absolutly right but the OP said that he does not want any help beside the original question. The comments below the question cover the aspect of SQL injections clearly enough. Besides there are much more flaws in the code than a single answer could cover. So I respect the authors request not to correct more than he wants.
@Sammaye The point is that although OPs question is answered, other people viewing this now or in the future may see this answer and think: Just what I needed and BAM now you have other people using this broken code.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.