How to Create Secure Registration Page in PHP/MySQL Part II

Submitted by GeePee on Saturday, May 30, 2015 - 23:14.
mysqli extension works differently compared to mysql extension. The 'i' stands for improved. Which means that it has some features that cannot be found in mysql extension. There are two approach in using mysqli extension. They are Object Oriented style and Procedural style. If you are migrating your old PHP file to mysqli extension, I prefer you use the procedural style. It's very easy to convert it to mysqli this way. Looking at the example in our previous tutorial. We will still use the same database called "login". We will just change some of the code under "registration.html" and "register.php".

Procedural style

registration2a.html 
  1. <!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2. <html xmlns="http://www.w3.org/1999/xhtml">
  3. <head>
  4. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5. <title>Register</title>
  6. </head>
  7.  
  8. <body>
  9. <form name="register" action="register2a.php" method="post">
  10. 	<table width="510" border="0">
  11. 		<tr>
  12. 			<td colspan="2"><p><strong>Registration Form</strong></p></td>
  13. 		</tr>
  14. 		<tr>
  15. 			<td>Username:</td>
  16. 			<td><input type="text" name="username" maxlength="20" /></td>
  17. 		</tr>
  18. 		<tr>
  19. 			<td>Password:</td>
  20. 			<td><input type="password" name="password1" /></td>
  21. 		</tr>
  22. 		<tr>
  23. 			<td>Confirm Password:</td>
  24. 			<td><input type="password" name="password2" /></td>
  25. 		</tr>
  26. 		<tr>
  27. 			<td>Email:</td>
  28. 			<td><input type="text" name="email" id="email" /></td>
  29. 		</tr>
  30. 		<tr>
  31. 			<td>&nbsp;</td>
  32. 			<td><input type="submit" value="Register" /></td>
  33. 		</tr>
  34. 	</table>
  35. </form>
  36. </body>
  37. </html>
Note that we just change the value of action parameter under the form tag above. The previous value is register.php and now it was register2a.php Register2a.php 
  1. <?php
  2. $username = $_POST['username'];
  3. $password1 = $_POST['password1'];
  4. $password2 = $_POST['password2'];
  5. $email = $_POST['email'];
  6.  
  7. if($password1 != $password2)
  8.     header('Location: registration.html');
  9.  
  10. if(strlen($username) > 30)
  11.     header('Location: registration.html');
  12.  
  13. $hash = hash('sha256', $password1);
  14.  
  15. function createSalt()
  16. {
  17.     $text = md5(uniqid(rand(), true));
  18.     return substr($text, 0, 3);
  19. }
  20.  
  21. $salt = createSalt();
  22. $password = hash('sha256', $salt . $hash);
  23.  
  24. $conn = mysqli_connect('localhost', 'root', '', 'login'); //we have added the database name called "login"
  25.  
  26. //mysql_select_db('login', $conn); //we remove this line
  27.  
  28. //sanitize username
  29. $username = mysqli_real_escape_string($conn, $username);
  30.  
  31. $query = "INSERT INTO member ( username, password, email, salt ) VALUES 
  32. 		( '$username', '$password', '$email', '$salt' )";
  33.  
  34. //added $conn variable in order to connect to our database.
  35. mysqli_query($conn, $query);
  36.  
  37. mysqli_close($conn);
  38.  
  39. header('Location: login.php');
  40. ?>

Object Oriented Style

registration2b.html Just change the line above from: <form name="register" action="register2a.php" method="post"> to: <form name="register" action="register2b.php" method="post"> register2b.php 
  1. <?php
  2. $username = $_POST['username'];
  3. $password1 = $_POST['password1'];
  4. $password2 = $_POST['password2'];
  5. $email = $_POST['email'];
  6.  
  7. if($password1 != $password2)
  8.     header('Location: registration.html');
  9.  
  10. if(strlen($username) > 30)
  11.     header('Location: registration.html');
  12.  
  13. $hash = hash('sha256', $password1);
  14.  
  15. function createSalt()
  16. {
  17.     $text = md5(uniqid(rand(), true));
  18.     return substr($text, 0, 3);
  19. }
  20.  
  21. $salt = createSalt();
  22. $password = hash('sha256', $salt . $hash);
  23.  
  24. $mysqli = new mysqli('localhost', 'root', '', 'login'); //we change the mysqli_connect to "new mysqli"
  25.  
  26. //sanitize username
  27. $username = $mysqli->real_escape_string($username);
  28.  
  29. $query = "INSERT INTO member ( username, password, email, salt ) VALUES 
  30. 		( '$username', '$password', '$email', '$salt' )";
  31.  
  32. //remove $conn variable in order to connect to our database using OOP.
  33. $mysqli->query($query);
  34.  
  35. $mysqli->close();
  36.  
  37. header('Location: login.php');
  38. ?>
Now you see the difference? When it comes to features, there is no difference between Procedural and Object Oriented approach. Use the style which you think you are comfortable.

Tags

Comments

This works fine. However, now that the password is hashed in the database, how do I write the login so as to read it?

Add new comment

About text formats