Secure Registration Page

By secured we mean that we need to sanitize the data that is passed to our script in order to secure the registration of new account or user.

There are three different types of connectivity in MySQL. They are:

mysql = old MySQL function
mysqli = improved MySQL function
pdo = using prepared statement

Mysql_connect is currently not supported in PHP version 5.5.0. So the option left are mysqli and pdo.

In this tutorial, I will use mysql as there are still so many wanna be programmers who are using it. But we will sanitize it so it will still look secured.

Let us prepare our database table.

Database name: login
Database table: member

Using phpMyAdmin, create a database called “login”.

Now select the database that you have created. Click on the SQL tab and paste the following sql code.

  1. CREATE TABLE `login`.`member` (
  2. `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
  3. `username` VARCHAR(30) NOT NULL,
  4. `password` CHAR(128) NOT NULL,
  5. `email` VARCHAR(50) NOT NULL,
  6. `salt` CHAR(128) NOT NULL
  7. ) ENGINE = InnoDB;

Create a Registration Form called “registration.html”. For the meantime let’s use table for our design.

  1. <!<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
  2. <html xmlns=”http://www.w3.org/1999/xhtml”>
  3. <head>
  4. <meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
  5. <title>Register</title>
  6. </head>
  7. <body>
  8. <form name=”register” action=”register.php” method=”post”>
  9. <table width=”510″ border=”0″>
  10. <tr>
  11. <td colspan=”2″><p><strong>Registration Form</strong></p></td>
  12. </tr>
  13. <tr>
  14. <td>Username:</td>
  15. <td><input type=”text” name=”username” maxlength=”20″ /></td>
  16. </tr>
  17. <tr>
  18. <td>Password:</td>
  19. <td><input type=”password” name=”password1″ /></td>
  20. </tr>
  21. <tr>
  22. <td>Confirm Password:</td>
  23. <td><input type=”password” name=”password2″ /></td>
  24. </tr>
  25. <tr>
  26. <td>Email:</td>
  27. <td><input type=”text” name=”email” id=”email” /></td>
  28. </tr>
  29. <tr>
  30. <td>&nbsp;</td>
  31. <td><input type=”submit” value=”Register” /></td>
  32. </tr>
  33. </table>
  34. </form>
  35. </body>
  36. </html>

Now create registration script called “register.php”.

First, let us receive the data from our registration form.

  1. <?php
  2. //retrieve our data from POST
  3. $username = $_POST[‘username’];
  4. $password1 = $_POST[‘password1’];
  5. $password2 = $_POST[‘password2’];
  6. $email = $_POST[’email’];
  7. if($password1 != $password2)
  8. header(‘Location: registration.html’);
  9. if(strlen($username) > 30)
  10. header(‘Location: registration.html’);

Secure password using salt. This is called password hashing using salt. You can find more info about this at http://php.net/manual/en/faq.passwords.php

  1. $hash = hash(‘sha256’, $password1);
  2. function createSalt()
  3. {
  4. $text = md5(uniqid(rand(), true));
  5. return substr($text, 0, 3);
  6. }
  7. $salt = createSalt();
  8. $password = hash(‘sha256’, $salt . $hash);

Insert the value into “member” table.

  1. $conn = mysql_connect(‘localhost’, ‘root’, ”);
  2. mysql_select_db(‘login’, $conn);
  3. //sanitize username
  4. $username = mysql_real_escape_string($username);
  5. $query = “INSERT INTO member ( username, password, email, salt )
  6. VALUES ( ‘$username’, ‘$password’, ‘$email’, ‘$salt’ );”;
  7. mysql_query($query);
  8. header(‘Location: login.php’);
  9. ?>

The important code here is the “mysql_real_escape_string”. This will escape all character use for sql injection. So, only valid character will be used.

As I’ve said earlier, we will use the obsolete or depreciated function called mysql_connect. We will be creating another tutorial on how to use mysqli_connect in our next tutorial.

2 thoughts on “Create Secure Registration Page in PHP/MySQL Part I

Leave a Reply

Your email address will not be published. Required fields are marked *