PHP mysql register password

Question

This is probably not secure but ignore that. Ive made a simple homepage with login, registration and logout. But im having a problem storing the password in my database. It somewhat looks hashed/salted. I dont understand much when Im not hashing it myself. In fact I have no experience with salting at all, so please dont come with a professional solution.

This is how it looks like in the database after registration: The database has the following attributes: id, username, password, email:

9, test, *94BDCEBE19083CE, test@mail.com

But should look like this:

9, test, test, test@mail.com

My registration.php looks like this:

<html>
    <head>
        <link rel="stylesheet" type="text/css" href="styles.css">
    </head>
    <body>
        <?php
        // loggin in and selects the database
        include ("dbConfig.php");

        //Input vaildation and the dbase code
        if ( $_GET["op"] == "reg" )
         {
         $bInputFlag = false;
         foreach ( $_POST as $field )
            {
            if ($field == "")
           {
           $bInputFlag = false;
           }
            else
           {
           $bInputFlag = true;
           }
            }
         // If we had problems with the input, exit with error
         if ($bInputFlag == false)
            {
            die( "Problem with your registration info. "
           ."Please go back and try again.");
            }

         // Fields are clear, add user to database
         //  Setup query
         $q = "INSERT INTO dbUsers (username, password , email ) "
            ."VALUES ('".$_POST["username"]."', "
            ."PASSWORD('".$_POST["password"]."'), "
            ."'".$_POST["email"]."')";
         //  Run query
         $r = mysql_query($q);

         // Make sure query inserted user successfully
         if ( !mysql_insert_id() )
            {
            die("Error: User not added to database.");
            }
         else
            {
            // Redirect to thank you page.
            Header("Location: register.php?op=thanks");
            }
         } // end if


        //The thank you page
        elseif ( $_GET["op"] == "thanks" )
         {
         echo "<form action='members.php' method='POST'>";
         echo "<div class='panel'> <span><font color='lime'>Thanks for registering!</font></span>";
         echo "<label><input type='submit' class ='button' value='Back'></label></div></form>";
         }

        //The web form for input ability
        else
         {
         echo  "
         <div class='box'>
            <h1>Registration</h1>
            <form action=\"?op=reg\" method=\"POST\">
                <label> 
                    <span>Username</span>
                    <input autocomplete='off' class='input_text' name='username'>   
                </label>
                <label>
                    <span>Password</span>
                    <input autocomplete='off' class='input_text' type='password' name='password'>
                </label>
                <label> 
                    <span>Email</span>
                    <input autocomplete='off' class='input_text' name='email'>  
                </label>
                <label> 
                    <input type='submit' class='button' value='Registrer'>  
                </label>
            </form>
         </div>";
         }
        ?>
    </body>
</html>

http://stackoverflow.com/questions/2131252/better-way-save-password-in-mysql-which-can-be-decrypted-also-using-php?rq=1 — Jocelyn, Aug 25 '12 at 14:26
**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Aug 25 '12 at 14:36
Also, as stated in [the introduction](http://www.php.net/manual/en/intro.mysql.php) to the PHP manual chapter on the `mysql_*` functions: *This extension is not recommended for writing new code. Instead, either the [mysqli](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also the [MySQL API Overview](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API.* — eggyal, Aug 25 '12 at 14:39

nkr · Accepted Answer · 2012-08-25T15:18:42.890

4

Just remove the PASSWORD() function from the SQL statement.

So you have to modify your code like this:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".$_POST["username"]."', "
        ."'".$_POST["password"]."', "
        ."'".$_POST["email"]."')";

Beware that this is unsecure because a SQL injection is possible. You can use prepared statements with the mysqli_* functions to prevent this. If you cannot use mysqli_* you can also use mysql_real_escape_string().

Your code would then look like this:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".mysql_real_escape_string($_POST["username"])."', "
        ."'".mysql_real_escape_string($_POST["password"])."', "
        ."'".mysql_real_escape_string($_POST["email"])."')";

edited Aug 25 '12 at 15:18

answered Aug 25 '12 at 14:27

nkr

3,026
7
31
39

That worked! Btw, how can i uncrypt the password from the database if i use the PASSWORD() function? – rtc11 Aug 25 '12 at 14:35
3

@rtc11: You can't. Hashing is designed to be a one-way function. – eggyal Aug 25 '12 at 14:38
This kind of query exposes the server to immediate [SQL injection attacks](http://bobby-tables.com/). All $_POST data must be properly escaped before use in a mysql query. – Jocelyn Aug 25 '12 at 14:56
@Jocelyn: Thats absolutly right but the OP said that he does *not* want any help beside the original question. The comments below the question cover the aspect of SQL injections clearly enough. Besides there are much more flaws in the code than a single answer could cover. So I respect the authors request not to correct more than he wants. – nkr Aug 25 '12 at 14:58
@Jocely that's what PDO is for – Sammaye Aug 25 '12 at 14:58
@Jocelyn Infact the `mysql_` driver functions are being deprecated so in theory he shouldn't even be querying the DB like that, but that's beside the question. – Sammaye Aug 25 '12 at 14:59
@nkr: unreasonable requests like "Give me a (very) unsecure solution to my problem" should be ignored. – Jocelyn Aug 25 '12 at 15:05
1

@Sammaye The point is that although OPs question is answered, other people viewing this now or in the future may see this answer and think: Just what I needed and BAM now you have other people using this broken code. – PeeHaa Aug 25 '12 at 15:05
@Sammaye: the query in the current answer may be used with mysqli_* functions too (which are NOT deprecated). – Jocelyn Aug 25 '12 at 15:09
After so many complains I edited my answer to inform future readers to use `mysqli_*` or at least `mysql_real_escape_string()`. – nkr Aug 25 '12 at 15:10
@Jocelyn well you got a second problem then since `mysql_real_escape_string` is also "broken" since it can be flawed with certain unicode characters that the more advanced pdo extension actually takes care of. – Sammaye Aug 25 '12 at 15:13
@Sammaye This is not true with MySQL versions after `5.1`. The bugs were fixed. Read [this answer](http://stackoverflow.com/a/12118602/1409082) – Jocelyn Aug 25 '12 at 15:17
@Jocelyn Well you still have the fundamental problem of casting as shown above. – Sammaye Aug 25 '12 at 15:21

PHP mysql register password

1 Answers1