How to Create Secure Registration Page in PHP/MySQL Part III

In our last two articles, we discuss on how to create a registration page using mysql and mysqli extension and how to secure it using mysql_real_escape_string or mysqli_real_escape_string.

This time we will modify our code to use PDO instead of mysql or mysqli extension.

Before we begin, let’s give some few advantages of using PDO in favor of mysqli.

• Portability – supports 12 different drivers
• Prepared statements – no need to use real_escape_string
• Object Oriented
• Named parameters
• Support stored procedures

PDO and mysqli has little to no difference at all except that PDO is more portable. So, if you want to connect to multiple databases without using different drivers, it’s preferable to use PDO.

Now, here’s the code of using PDO with little changes from our previous tutorial.

<?php
//retrieve our DATA FROM POST
$username = $_POST['username'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
 
IF($password1 != $password2)
    header('Location: registration.html');
 
IF(strlen($username) > 30)
    header('Location: registration.html');
 
$hash = hash('sha256', $password1);
 
FUNCTION createSalt()
{
    $text = md5(uniqid(rand(), TRUE));
    RETURN substr($text, 0, 3);
}
 
$salt = createSalt();
$password = hash('sha256', $salt . $hash);
 
$conn = NEW PDO('mysql:host=localhost;dbname=login', 'root', '');
 
$qry = $conn->PREPARE('INSERT INTO member (username, password, email, salt) VALUES (?, ?, ?, ?)');
$qry->EXECUTE(array($username, $password, $email, $salt));
 
header('Location: login.php');
?>